Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Trend Login Time Captures - Timechart Report for capturing the top logins times

Bassik
Path Finder
‎08-25-2020 06:18 PM

Hi, I want to be able to visualise the top 1-5/10 login times based on a time range. So if I select a time range of 24 hours I'd like to be able to see the most frequent times users have logged in over an hour period. Not too fussed on the top listings but essentially I'd like this to display (based on the below) atop count.

Bassik_0-1598404228279.png

Top Most Frequent Logins over an hour (24hr range)

1. Date 25/08/2020 10:00am -11:00am = 200 

In theory, it would list only the highest login counts over an hr and then decent in count value from whatever top count I'd want.

Tags (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-26-2020 01:32 AM

I am not sure what your base data is but let's assume it is a log of logins with timestamps. So, something like:

... base search ...
| bin _time span=1h
| stats count by _time
| sort -count
| where count >= 200
| head 5

That is, bucket events into 1h bins, count events in those bins, sort counts descending, only take counts above 200, just take the top 5

0 Karma
Reply

Bassik
Path Finder
‎08-26-2020 04:51 AM

Hi this kind of works... but I am getting thousands of events where it should be only restricted to cs_username. This is my base search:

 

index=iis_prod sourcetype=iis site=AWS cs_Referer=*Login*  sc_status=200 OR 302 cs_username=* cs_User_Agent!=Varnish_Health_Probe

0 Karma
Reply

Bassik
Path Finder
‎08-26-2020 05:18 AM

Think I need to define the Login into a column and then search the count based on that whereby _time and Logins >200 are. The results I am getting is all the time events 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...