- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: 1 Search with two results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a saved search returns the number of failed logins to a domain over a 24 hour period.
source="wineventlog:security" ("EventCode=4625") OR ("EventCode=529") host=dc*snlnt | stats count by host | rename count as "Unsuccessful Logins" | sort "Unsuccessful Logins"
That produces the following:
Host Unsuccessful Logins
MachineA Total_MachineA
MachineB Total_MachineB (and so on)
What I want to do is now add another running total of event id's 4624 and 528 as "Successful Logins" to the same search and produce the following:
Host Unsuccessful Logins Successful Logins
MachineA Total_MachineA Total_MachineA
MachineB Total_MachineB Total_MachineB (and so on)
It would be nice to have a way of determining the average per day over the last 7 days per host, but I am not sure what to do when you have a day with a higher than normal Unsuccessful or Successful count - that would then throw off your average over 7 days.
Thanks in advance,
Jason
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The following will give you both results in the same search in descending order by Unsuccessful Logins.
source="wineventlog:security" host=dc*snlnt | stats count(eval(EventCode="4625" OR EventCode="529")) as "Unsuccessful Logins", count(eval(EventCode="4624" OR EventCode="528")) as "Successful Logins" by host | sort -"Unsuccessful Logins" | table host "Unsuccessful Logins" "Successful Logins"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much, this worked like a champ.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The following will give you both results in the same search in descending order by Unsuccessful Logins.
source="wineventlog:security" host=dc*snlnt | stats count(eval(EventCode="4625" OR EventCode="529")) as "Unsuccessful Logins", count(eval(EventCode="4624" OR EventCode="528")) as "Successful Logins" by host | sort -"Unsuccessful Logins" | table host "Unsuccessful Logins" "Successful Logins"
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
