Security

Tracking user login from different IP within a given time frame

New Member

I am attempting to identify users who are logging in from 2 or more IPs within a given amount of time.

| timechart span="10m" dc(source_ip) as dsip by user 

This does appear to work, but it still gives me dsip=1. If I attempt to add | where dsip > 1 it does not return any results.

Any help would be greatly appreciated.

Thanks much

Tags (4)
0 Karma

Splunk Employee
Splunk Employee

If two IPs are used by one user within 10 minutes, but not the 10 minutes being evaluated, then above search would not return results. Example: if first IP is used at 12:05 and second IP is used at 12:12 while the the first 10 minute span evaluated is 12:00-12:10 and the second span evaluated 12:10-12:20.

In this case, we can eliminate artificial boundaries by searching larger periods of time with stats:

user=* src_ip=* | stats dc(src_ip) as dc_src_ip values(src_ip) as src_ip by user | where dc_src_ip > 1 

If we wish to represent this graphically with an area or line chart we could use a search like this:

src_ip=* user=*| streamstats dc(src_ip) as dc_src_ip by user | where dc_src_ip > 1 | timechart span=10m dc(src_ip) as dc_src_ip by user

Motivator

How would I add time to this query so that each IP a user had would be associated with a specific time period? We have an issue with users on wireless who constantly are changing IPs and I'd like to see at what time they had a specific IP.

Thx

0 Karma