Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find the last login over an IP's client range

arkonner
Path Finder
‎04-21-2016 04:57 AM

I am using the search below to find the last login over a subnet in a 24hr range. Using the "dedup Account_Name" if the same Account_Name perform a login over more than one IP I will receive only one result. I am looking to find all last login over the entire range of ip address (src_ip)

Thank you in advance

index="main" Source_Network_Address="10.3.140.*" EventCode=4624 Account_Name="*" AND Account_Name !=CZ* AND Account_Name !=5* AND Account_Name !=CN* AND Account_Name !=ANONYMOUS* AND Security_ID="*" | dedup Account_Name | table Account_Name  Security_ID src_ip _time
Tags (2)
0 Karma
Reply

DalJeanis
Legend
‎05-16-2017 07:16 AM

When posting code, be sure to mark it as code so that the system doesn't read an asterisk as a formatting command, and doesn't delete items in angle brackets as bad html. I've fixed that for you.

There are various ways - highlight the code and hit the code button (101 010), or put grave accents (`) before and after the entire chunk of code, or indent each line by at least four spaces. There's also a function key, IIRC.

0 Karma
Reply

sundareshr
Legend
‎04-21-2016 06:31 AM

Try this

index="main" Source_Network_Address="10.3.140." EventCode=4624 Account_Name="" AND Account_Name !=CZ* AND Account_Name !=5* AND Account_Name !=CN* AND Account_Name !=ANONYMOUS* AND Security_ID="*" | stats latest(Account_Name) latest(Security_ID) by src_ip _time
0 Karma
Reply

DalJeanis
Legend
‎05-16-2017 07:17 AM

@sundareshr - There were some asterisks missing from the original code, please see the updated post.

0 Karma
Reply

arkonner
Path Finder
‎04-21-2016 07:20 AM

alt text

The result is reported below - The account_name is not reported and there is a duplication of events instead of only the last one

Preview file
52 KB
0 Karma
Reply

jclehmuth
Path Finder
‎05-16-2017 07:06 AM

sundareshr search worked, minus the small error...
| stats latest(_time) as Time latest(Account_Name) latest(Security_ID) by src_ip | fieldformat Time=strftime(Time, "%m/%m/%Y %H:%M:%S")

should be | stats latest(_time) as Time latest(Account_Name) latest(Security_ID) by src_ip | fieldformat Time=strftime(Time, "%m/%d/%Y %H:%M:%S")

0 Karma
Reply

arkonner
Path Finder
‎04-22-2016 12:12 AM

Hi,

I did the change but the result is almost the samealt text

Preview file
70 KB
0 Karma
Reply

sundareshr
Legend
‎04-21-2016 07:34 AM

The reason Account_Name is not reported is because you have a Account_Name="" in your search. Remove that. Also, make this change `.... | stats latest(_time) as Time latest(Account_Name) latest(Security_ID) by src_ip | fieldformat Time=strftime(Time, "%m/%m/%Y %H:%M:%S")

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...