Security

Authentication Search Queries

luckymaddy
Explorer

Hi,

I am new to Splunk ,I want to get reports for the below.Please help in writing queires for the below scenarios.

1.Top 10 failed logins over the past 30 days
2.Average number of user check outs by region.

Thanks in Advance

0 Karma

NOUMSSI
Builder

Hi,
for the first question: if you have field login or status that take "failed" as value, and user field; here is the query:

index=... status=failed earliest=-30d latest=now|top limit=10 users|table user ...

For the second, if you have region field, here is the query:

 index=... | stats avg(user) by region|table user avg(user) ...
0 Karma

stephane_cyrill
Builder

Hi If you can provide a sample data it will be very easy to help you.

  1. your search can look like this: a-assuming you have a security file. source=security_log_file failed login ted Answer | timecart span = 30d limit =10 .......

b. assuming you want to have it directly from splunk:

index = _audit action = failure earliest=-30d | stats values(user) AS Users, values(action) |top limit =10 action

OR
index = _audit action = failure earliest =-30d|top limit=10 action

2.Average number of user check outs by region.

if you have a field in which you keep number of user( may be per month, day, ..........), do something like this:

.........|stats avg(your_field) by region

NOTE: your search depends on you data so please take time to post your sample data next time.

see
docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Whatsinthismanual

0 Karma
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...