Tracking Failed Logins by Usernames, reason for fa...

ypop · ‎04-03-2018

We have a simple query which tracks failed login attempts, however, the eventstats function is unable to give me the proper count filter where we need only results where a user has exceeded a specific amount of login attempts:
What our current query looks like:
index=localLogFile loginFail: host=LocalServer | rex field=_raw " ]\s\w{4}:\s(?P/*?):" | eventstats count AS aFieldCount by FailReason | eventstats count(InfoMessage) AS EventCountTotal | table ipAddress UserName FailReason Info Message aFieldCount EventCountTotal

What I'm looking to add to this query
We are looking to simply add another instance of eventstats or stats count that will give us the number of failed attempts when it is less than or greater than a specific number of occurrences, allowing us to later generate a report that will trigger when someone has attempted to log in more times than they should have.

Any direction or help is appreciated

splunker12er · ‎04-03-2018

try something like this,

makeresults|stats count(_raw) as total_failure_attempts by FailReason| eval occurrence=10|where total_failure_attempts>occurrence | table field_1 field_2 field_3

ypop · ‎04-04-2018

Thank you,
I ended up combing your logic with my existing query successfully.

Tracking Failed Logins by Usernames, reason for failure, and more

Splunk APM & RUM | Upcoming Planned Maintenance

Part 2: Diving Deeper With AIOps

User Groups | Upcoming Events!