Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Counting & Grouping Field Values

MikeElliott
Communicator
‎07-21-2017 01:49 AM

Hi All,

I am currently attempting to write a Splunk search that will count the amount of failed authentications for a multiple user accounts, grouped by Source IP. I have provided my current (basic) search string below and have attached an image of sanitised search results, detailing current output vs the output I would like to achieve.

I have attempted various different combinations of stats count() and stats values(), but just cannot seem to get it right.

Any assistance would be greatly appreciated.

index=Windows sourcetype=WinEventLog:Security EventCode=4625
| eval Account_Name=mvindex(Account_Name, 1)
| stats count(EventCode) as Authentication_Failures by Account_Name, Source_Network_Address

Uploaded Image

Tags (1)
Preview file
64 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-22-2017 07:07 PM

Just add this to the bottom of your existing search:

| stats values(*) AS * BY Account_Name

OR

| stats sum(Authentication_Failures) AS Authentication_Failures list(Source_Network_Address) AS Source_Network_Address BY Account_Name

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-22-2017 07:07 PM

Just add this to the bottom of your existing search:

| stats values(*) AS * BY Account_Name

OR

| stats sum(Authentication_Failures) AS Authentication_Failures list(Source_Network_Address) AS Source_Network_Address BY Account_Name
0 Karma
Reply
Solved! Jump to solution

MikeElliott
Communicator
‎07-24-2017 12:11 AM

Much appreciated @woodcock! Thank you for taking the time to help me out 🙂

0 Karma
Reply
Solved! Jump to solution

Grumpalot
Communicator
‎07-21-2017 05:34 AM

@MikeElliott try something like this

 index=Windows sourcetype=WinEventLog:Security EventCode=4625
 | eval Account_Name=mvindex(Account_Name, 1)
 | stats list(EventCode) as Authentication_Failures list(Source_Network_Address) as Source_Network_Address by Account_Name
Reply
Solved! Jump to solution

Grumpalot
Communicator
‎07-21-2017 05:39 AM

I was using a csv with the generated data so you can sum Authentication_Failures if your totaling the actual times failed login also

index=Windows sourcetype=WinEventLog:Security EventCode=4625
| eval Account_Name=mvindex(Account_Name, 1)
| stats sum(EventCode) as Authentication_Failures list(Source_Network_Address) as Source_Network_Address by Account_Name
0 Karma
Reply
Solved! Jump to solution

MikeElliott
Communicator
‎07-21-2017 06:44 AM

A superb solution, my thanks @Grumpalot.

I have made a few modifications to the search string - Mainly just to adjust the end output. I was wondering if I could be so bold as to ask for help with one last thing?

How would I modify the below search string to only provide results where Source_Network_Address field has >= 2 Values? I have attempted to use a where statement, as well as a separate count() | where statement and can't seem to get it to work.

index=Windows sourcetype=WinEventLog:Security EventCode=4625 earliest=-25h@h latest=-1h@h 
| eval Account_Name=mvindex(Account_Name, 1) 
| search Source_Network_Address!="-" 
| stats count(EventCode) as Authentication_Failures values(Source_Network_Address) as Source_Network_Address by Account_Name 
| where Authentication_Failures > 10 
| sort -Authentication_Failures
0 Karma
Reply
Solved! Jump to solution

Grumpalot
Communicator
‎07-21-2017 07:35 AM

Go ahead and change your where to search

index=Windows sourcetype=WinEventLog:Security EventCode=4625 earliest=-25h@h latest=-1h@h 
| eval Account_Name=mvindex(Account_Name, 1) 
| search Source_Network_Address!="-" 
| stats count(EventCode) as Authentication_Failures values(Source_Network_Address) as Source_Network_Address by Account_Name 
| search Authentication_Failures > 10 
| sort -Authentication_Failures
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...