I want to set up a use case in Splunk, and I am new in this application
Any help how to start with ?
Get all your data in the CIM and accelerate your Authentication
datamodel. Then your 2 searches will be:
| tstats summariesonly=true allow_old_summaries=true count
FROM datamodel=Authentication
WHERE index=* AND nodename="Authentication.Failed_Authentication"
BY Authentication.user
And:
| tstats summariesonly=true allow_old_summaries=true count dc(Authentication.app) AS app_count values(Authentication.app)
FROM datamodel=Authentication
WHERE index=* AND nodename="Authentication.Successful_Authentication"
BY Authentication.user
| sort 0 - app_count
Get all your data in the CIM and accelerate your Authentication
datamodel. Then your 2 searches will be:
| tstats summariesonly=true allow_old_summaries=true count
FROM datamodel=Authentication
WHERE index=* AND nodename="Authentication.Failed_Authentication"
BY Authentication.user
And:
| tstats summariesonly=true allow_old_summaries=true count dc(Authentication.app) AS app_count values(Authentication.app)
FROM datamodel=Authentication
WHERE index=* AND nodename="Authentication.Successful_Authentication"
BY Authentication.user
| sort 0 - app_count
The Splunk Security Essentials app (https://splunkbase.splunk.com/app/3435/) show how to implement those and many other use cases.