Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Check failed and success from all users with single ip

siddh01r
New Member
‎03-10-2020 03:39 PM

Hi,

i am trying to find failed and success from all users with single ip.
so it would show like..

1p 1.1.1.1...users john doe 4 failed and 1 success
jay sean 5 failed 2 success

ip1.2.3.4 ...user tim smith 3 failed 1 sucess

starting query - index=authentication type=* |....

type is type of failure

0 Karma
Reply

siddh01r
New Member
‎03-10-2020 07:16 PM

index=index (type=f* AND type=s)
| stats count by user, type
| sort -count
| stats list(type) as auth_type, list(count) as count by user

I have used you search and have come up with what i need. however, now i amt trying to be really specific about what i want.
only looking for for where there is fail(f) AND success(s)
but , when i add the "AND" i get no results. when infact there are failed and successful events.

Please help

0 Karma
Reply

woodcock
Esteemed Legend
‎03-10-2020 05:30 PM

You tagged this post with Enterprise Security so make sure that you configure your sourcetype to be pulled into the Common Information Model and the do this:

| tstats count 
FROM datamodel=Authentication 
WHERE index="*" 
BY Authentication.src Authentication.user Authentication.action
| rename Authentication.* AS *
0 Karma
Reply

akshatj2
Path Finder
‎03-10-2020 04:01 PM

Sid,

There must be a field like action which provides details for if it is failed login or success login

you can form a search as below

index= (action = success OR action= failed)
| stats count by user, action
| sort -count
| stats list(action) as login_type, list(count) as count by user

Hope this helps.

0 Karma
Reply

siddh01r
New Member
‎03-10-2020 06:48 PM

index=index (type=f* AND type=s)
| stats count by user, type
| sort -count
| stats list(type) as auth_type, list(count) as count by user

I have used you search and have come up with what i need. however, now i amt trying to be really specific about what i want.
only looking for for where there is fail(f) AND success(s)
but , when i add the "AND" i get no results. when infact there are failed and successful events.

Please help

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...