Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Report results when there was no previous activity of field

rwiltzius
Explorer
‎05-22-2018 08:11 AM

Hello,

I am currently using the following syntax to retrieve details of IP addresses that was used to by multiple accounts to log in. The search time range is currently dynamic and can be simply adjusted by modifying the time range picker.

index="main" sourcetype="logs"
| iplocation RemoteAddr
| stats dc(SignonUserId) as UniqueAccounts by RemoteAddr
| where UniqueAccounts > 1
| sort -UniqueAccounts

I’m looking for a way that will report back the results only when the UniqueAccounts is greater than 2 AND there was no previous login activity by RemoteAddr prior to today. So for example, if it found 1.1.1.1 has been periodically used over the last 7+ days, then it would not pop up as a result when it found the IP address was used by 2 unique accounts to login today. Please let me know if you have any questions.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rwiltzius
Explorer
‎05-24-2018 01:44 PM

I was able to resolve this using the following syntax:

 index="main" sourcetype="logs"
 | iplocation RemoteAddr
 | stats dc(SignonUserId) as RecentUniqueLogins by RemoteAddr
 | where RecentUniqueLogins > 1
 | appendcols    
    [ search index="main" sourcetype="logs"  earliest=-30d@d latest=@d
    | iplocation RemoteAddr    
    | stats dc(SignonUserId) as TotalUniqueLogins by RemoteAddr ]
 | stats sum(RecentUniqueLogins) as RL sum(TotalUniqueLogins) as TL by RemoteAddr
 | where RL = TL
 | fields RemoteAddr, RL, TL, Country, Region, City
 | rename RemoteAddr as "IP Address", RL as "Yesterday Unique Logins", TL as "Total Unique Logins", Region as "Region/State"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rwiltzius
Explorer
‎05-24-2018 01:44 PM

I was able to resolve this using the following syntax:

 index="main" sourcetype="logs"
 | iplocation RemoteAddr
 | stats dc(SignonUserId) as RecentUniqueLogins by RemoteAddr
 | where RecentUniqueLogins > 1
 | appendcols    
    [ search index="main" sourcetype="logs"  earliest=-30d@d latest=@d
    | iplocation RemoteAddr    
    | stats dc(SignonUserId) as TotalUniqueLogins by RemoteAddr ]
 | stats sum(RecentUniqueLogins) as RL sum(TotalUniqueLogins) as TL by RemoteAddr
 | where RL = TL
 | fields RemoteAddr, RL, TL, Country, Region, City
 | rename RemoteAddr as "IP Address", RL as "Yesterday Unique Logins", TL as "Total Unique Logins", Region as "Region/State"
0 Karma
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...