Splunk Search

Can I add a time span to a where count?

HealyManTech
Explorer

I am trying to see how many time a user fail a log on.

index=WinEvent Event=4625 user=* | timechart span=15m count by user usenull=f where count >3

I am getting event but I am getting the sum of the event within the week time span. How would I be able to to exclude the 0 results from the timechart? Or should I use the Chart command?

I am trying to do it if the count if over 3 in a 15 minute time span I want to see the events if not I don't want to see it.

Tags (2)
0 Karma
1 Solution

pradeepkumarg
Influencer

Can you try this?

index=WinEvent Event=4625 user=* | bin _time span=15m | stats count by user _time| search count > 3

View solution in original post

0 Karma

pradeepkumarg
Influencer

Can you try this?

index=WinEvent Event=4625 user=* | bin _time span=15m | stats count by user _time| search count > 3

View solution in original post

0 Karma

HealyManTech
Explorer

index=WinEvent Event=4625 user=* | bin _time span=15m | stats count by user | search count > 3

thanks to gpradeepkumarredd

Make sure to you bin before stats command. I made the mistake of putting it after.

0 Karma

pradeepkumarg
Influencer

I converted mine to answer so that you can accept it. Thanks!

0 Karma

HealyManTech
Explorer

Tried that. Getting about the same results. It is still getting me the sum of the counts and not just the 15 mins time span.

0 Karma

pradeepkumarg
Influencer

oops, try this. Missed adding _time to the stats

index=WinEvent Event=4625 user=* | bin _time span=15m | stats count by user _time | search count > 3 

0 Karma

HealyManTech
Explorer

That worked but I am still not about to group it for the 15 mins.

0 Karma

pradeepkumarg
Influencer

Not following. Can you elaborate?

0 Karma

HealyManTech
Explorer

Sorry. What I meant was I want the time to be group for 15 minute intervals and show me that count there. Researching more of it and seems I might need to do an eval command.

0 Karma

pradeepkumarg
Influencer

| bin _time span=15m does the same thing. It groups into 15 min buckets.

0 Karma

HealyManTech
Explorer

For some reason it is not grouping them. I am seeing a lot of event with the same _time but the count is 1 even thought I am seeing about twelve events with the same time.

0 Karma

pradeepkumarg
Influencer

use sum(count) instead of just count ?

0 Karma

HealyManTech
Explorer

That didn't work. Comes with just a blank

0 Karma

HealyManTech
Explorer

Ok I got it right. I had it switched. bin command.

Thanks that got it to work now 😄

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!