Tracking user login from different IP within a given time frame

New Member

I am attempting to identify users who are logging in from 2 or more IPs within a given amount of time.

| timechart span="10m" dc(source_ip) as dsip by user 

This does appear to work, but it still gives me dsip=1. If I attempt to add | where dsip > 1 it does not return any results.

Any help would be greatly appreciated.

Thanks much

Tags (4)
0 Karma

Splunk Employee
Splunk Employee

If two IPs are used by one user within 10 minutes, but not the 10 minutes being evaluated, then above search would not return results. Example: if first IP is used at 12:05 and second IP is used at 12:12 while the the first 10 minute span evaluated is 12:00-12:10 and the second span evaluated 12:10-12:20.

In this case, we can eliminate artificial boundaries by searching larger periods of time with stats:

user=* src_ip=* | stats dc(src_ip) as dc_src_ip values(src_ip) as src_ip by user | where dc_src_ip > 1 

If we wish to represent this graphically with an area or line chart we could use a search like this:

src_ip=* user=*| streamstats dc(src_ip) as dc_src_ip by user | where dc_src_ip > 1 | timechart span=10m dc(src_ip) as dc_src_ip by user


How would I add time to this query so that each IP a user had would be associated with a specific time period? We have an issue with users on wireless who constantly are changing IPs and I'd like to see at what time they had a specific IP.


0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...