Inconsistency in the data every day while running ...

deepthi5 · ‎07-06-2022

index=wineventlog EventCode=4625 | search user!="sa*" AND user!="VD*" AND user_email!=""

| bucket _time span=10m

| eval minute=strftime(_time, "%M")

| eval hour=strftime(_time, "%H")

| eval day=strftime(_time, "%D")

| eval wday=strftime(_time, "%A")

| stats count(EventCode) as aantal by hour, wday, day

| rename aantal as #_failed_logins

| eval search_value = wday+"_"+hour

| table hour, day, wday, search_value, #_failed_logins, upperBound, upperBound_2stdev, upperBound_2.5stdev, upperBound_3stdev, upperBound_3.5stdev, upperBound_4stdev, twoSigmaLimit, hour_avg, hour_avg_2sig, hour_stdev, hour_stdev_2sig

Every day this query gives a different count

somesoni2 · ‎07-06-2022

Different count of rows OR different count for #_Failed_Logins?

The number of rows depends upon the availability of events in Splunk, so they may not be same every day (unless you expect same number failed logins every day occurring on same hour every day).

deepthi5 · ‎07-06-2022

Different count of #_Failed_logins

Inconsistency in the data every day while running the query report

saved search

scheduled search

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation