Authentication Search Queries

luckymaddy · ‎04-27-2015

Hi,

I am new to Splunk ,I want to get reports for the below.Please help in writing queires for the below scenarios.

1.Top 10 failed logins over the past 30 days
2.Average number of user check outs by region.

Thanks in Advance

NOUMSSI · ‎04-27-2015

Hi,
for the first question: if you have field login or status that take "failed" as value, and user field; here is the query:

index=... status=failed earliest=-30d latest=now|top limit=10 users|table user ...

For the second, if you have region field, here is the query:

 index=... | stats avg(user) by region|table user avg(user) ...

stephane_cyrill · ‎04-27-2015

Hi If you can provide a sample data it will be very easy to help you.

your search can look like this: a-assuming you have a security file. source=security_log_file failed login ted Answer | timecart span = 30d limit =10 .......

b. assuming you want to have it directly from splunk:

index = _audit action = failure earliest=-30d | stats values(user) AS Users, values(action) |top limit =10 action

OR
index = _audit action = failure earliest =-30d|top limit=10 action

2.Average number of user check outs by region.

if you have a field in which you keep number of user( may be per month, day, ..........), do something like this:

.........|stats avg(your_field) by region

NOTE: your search depends on you data so please take time to post your sample data next time.

see
docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Whatsinthismanual