Hi,
i am trying to find failed and success from all users with single ip.
so it would show like..
1p 1.1.1.1...users john doe 4 failed and 1 success
jay sean 5 failed 2 success
ip1.2.3.4 ...user tim smith 3 failed 1 sucess
starting query - index=authentication type=* |....
type is type of failure
index=index (type=f* AND type=s)
| stats count by user, type
| sort -count
| stats list(type) as auth_type, list(count) as count by user
I have used you search and have come up with what i need. however, now i amt trying to be really specific about what i want.
only looking for for where there is fail(f) AND success(s)
but , when i add the "AND" i get no results. when infact there are failed and successful events.
Please help
You tagged this post with Enterprise Security
so make sure that you configure your sourcetype
to be pulled into the Common Information Model
and the do this:
| tstats count
FROM datamodel=Authentication
WHERE index="*"
BY Authentication.src Authentication.user Authentication.action
| rename Authentication.* AS *
Sid,
There must be a field like action which provides details for if it is failed login or success login
you can form a search as below
index= (action = success OR action= failed)
| stats count by user, action
| sort -count
| stats list(action) as login_type, list(count) as count by user
Hope this helps.
index=index (type=f* AND type=s)
| stats count by user, type
| sort -count
| stats list(type) as auth_type, list(count) as count by user
I have used you search and have come up with what i need. however, now i amt trying to be really specific about what i want.
only looking for for where there is fail(f) AND success(s)
but , when i add the "AND" i get no results. when infact there are failed and successful events.
Please help