Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add daily stats to Search

Madmax
Path Finder
‎11-03-2023 07:06 AM

I was able to find this search that gives me the number of users(IONS) who disconnected 10 or more times however it gives me the total based on time.  I would like to display a daily number for 30 days in a line chart.  For example Monday there were 10 users who disconnected over 10 time and so on for the rest of week. I can't seem to get the timechart to work with this:

index=gbts-vconnection sourcetype=VMWareVDM_debug "onEvent: DISCONNECTED" (host=Host1 OR host=host2)
| rex field=_raw "(?ms)^(?:[^:\\n]*:){5}(?P<IONS>[^;]+)(?:[^:\\n]*:){8}(?P<Device>[^;]+)(?:[^;\\n]*;){4}\\w+:(?P<VDI>\\w+)" offset_field=_extracted_fields_bounds
| stats count by Device IONS
| where count >= 10
| appendpipe [|stats count as IONS | eval Device="Total"]
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FelixLeh
Contributor
‎11-03-2023 07:46 AM

If I understand you correctly the query should work like this:

 

index=gbts-vconnection sourcetype=VMWareVDM_debug "onEvent: DISCONNECTED" (host=Host1 OR host=host2)
| rex field=_raw "(?ms)^(?:[^:\\n]*:){5}(?P<IONS>[^;]+)(?:[^:\\n]*:){8}(?P<Device>[^;]+)(?:[^;\\n]*;){4}\\w+:(?P<VDI>\\w+)" offset_field=_extracted_fields_bounds
| eventstats count as failed_count by Device IONS
| where failed_count>=10
| timechart dc(IONS) as IONS span=1d

 

This will show you the amount of user with more than 10 failed logons on each day.

View solution in original post

Reply
Solved! Jump to solution

Madmax
Path Finder
‎11-03-2023 10:41 AM

That's exactly what I needed!!!  Thank you very much. 

0 Karma
Reply
Solved! Jump to solution

FelixLeh
Contributor
‎11-06-2023 12:27 AM

I'm glad I was able to help! 

0 Karma
Reply
Solved! Jump to solution
Solution

FelixLeh
Contributor
‎11-03-2023 07:46 AM

If I understand you correctly the query should work like this:

 

index=gbts-vconnection sourcetype=VMWareVDM_debug "onEvent: DISCONNECTED" (host=Host1 OR host=host2)
| rex field=_raw "(?ms)^(?:[^:\\n]*:){5}(?P<IONS>[^;]+)(?:[^:\\n]*:){8}(?P<Device>[^;]+)(?:[^;\\n]*;){4}\\w+:(?P<VDI>\\w+)" offset_field=_extracted_fields_bounds
| eventstats count as failed_count by Device IONS
| where failed_count>=10
| timechart dc(IONS) as IONS span=1d

 

This will show you the amount of user with more than 10 failed logons on each day.

Reply
Solved! Jump to solution

Madmax
Path Finder
‎11-06-2023 08:29 AM

I spoke too soon.  It appears that the numbers are not accurate.  It shows the proper number if I set the time picker to last 24 hours but once I select last 30 days the number for yesterday increase by hundreds.  

0 Karma
Reply
Solved! Jump to solution

FelixLeh
Contributor
‎11-07-2023 12:08 AM

My bad. I forgot to add a time variable to the eventstats. By disregarding time the query checks whether a user has more than 10 failed logins over the entire search span. If your data already has a date stamp then you can use that. Alternatively you could adjust the query like this:

index=gbts-vconnection sourcetype=VMWareVDM_debug "onEvent: DISCONNECTED" (host=Host1 OR host=host2)
| rex field=_raw "(?ms)^(?:[^:\\n]*:){5}(?P<IONS>[^;]+)(?:[^:\\n]*:){8}(?P<Device>[^;]+)(?:[^;\\n]*;){4}\\w+:(?P<VDI>\\w+)" offset_field=_extracted_fields_bounds
| eval temp_date = strftime(_time, "%Y-%m-%d")
| eventstats count as failed_count by IONS,temp_date
| where failed_count>=10
| timechart dc(IONS) as IONS span=1d

 

Reply
Solved! Jump to solution

Madmax
Path Finder
‎11-07-2023 06:18 AM

That worked like a charm!!  Thanks again! 

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...