Splunk Search

Can I add a time span to a where count?

HealyManTech
Explorer

I am trying to see how many time a user fail a log on.

index=WinEvent Event=4625 user=* | timechart span=15m count by user usenull=f where count >3

I am getting event but I am getting the sum of the event within the week time span. How would I be able to to exclude the 0 results from the timechart? Or should I use the Chart command?

I am trying to do it if the count if over 3 in a 15 minute time span I want to see the events if not I don't want to see it.

Tags (2)
0 Karma
1 Solution

pradeepkumarg
Influencer

Can you try this?

index=WinEvent Event=4625 user=* | bin _time span=15m | stats count by user _time| search count > 3

View solution in original post

0 Karma

pradeepkumarg
Influencer

Can you try this?

index=WinEvent Event=4625 user=* | bin _time span=15m | stats count by user _time| search count > 3

0 Karma

HealyManTech
Explorer

index=WinEvent Event=4625 user=* | bin _time span=15m | stats count by user | search count > 3

thanks to gpradeepkumarredd

Make sure to you bin before stats command. I made the mistake of putting it after.

0 Karma

pradeepkumarg
Influencer

I converted mine to answer so that you can accept it. Thanks!

0 Karma

HealyManTech
Explorer

Tried that. Getting about the same results. It is still getting me the sum of the counts and not just the 15 mins time span.

0 Karma

pradeepkumarg
Influencer

oops, try this. Missed adding _time to the stats

index=WinEvent Event=4625 user=* | bin _time span=15m | stats count by user _time | search count > 3 

0 Karma

HealyManTech
Explorer

That worked but I am still not about to group it for the 15 mins.

0 Karma

pradeepkumarg
Influencer

Not following. Can you elaborate?

0 Karma

HealyManTech
Explorer

Sorry. What I meant was I want the time to be group for 15 minute intervals and show me that count there. Researching more of it and seems I might need to do an eval command.

0 Karma

pradeepkumarg
Influencer

| bin _time span=15m does the same thing. It groups into 15 min buckets.

0 Karma

HealyManTech
Explorer

For some reason it is not grouping them. I am seeing a lot of event with the same _time but the count is 1 even thought I am seeing about twelve events with the same time.

0 Karma

pradeepkumarg
Influencer

use sum(count) instead of just count ?

0 Karma

HealyManTech
Explorer

That didn't work. Comes with just a blank

0 Karma

HealyManTech
Explorer

Ok I got it right. I had it switched. bin command.

Thanks that got it to work now 😄

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...