Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Creating a SPL using tstats for Multiple Failed Logins Followed by Success?

randqm
Loves-to-Learn Everything
‎05-18-2023 02:13 AM

Hello Splunk Community,

I'm currently working on creating a search using the tstats command to identify user behavior related to multiple failed login attempts followed by a successful login. I want to use tstats for this due to its efficiency with high volumes of data, compared to the transaction command.

In my case, I want to be able to detect an event sequence where a user has had, let's say, 10 or more failed login attempts, followed by a successful login attempt, within a specified time window (for example, within an hour).

I understand that tstats doesn't provide the same level of detail as transaction for creating sequences of events. However, I'm looking for suggestions on how to use tstats, combined with other SPL commands, to achieve a similar result.

Here's an example of the type of data I'm dealing with:

_time user status

1622890560 user1 failure
1622890620 user1 failure
1622890680 user1 success

In this example, the status field contains "success" or "failure", and the user field contains the user ID.

Any guidance or suggestions would be greatly appreciated.

Thanks in advance for your help!

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-23-2023 07:50 AM

Hi @randqm ,

you can use tstats only on a DataModel or on index time fields, so probably user field isn't indexed.

If you haven't a DM, you should use the stats command that much faster than transaction, if you're speaking of windows logs, you could try something like this:

index=wineventlog (EventCode=4624 OR EventCode=4625)
| stats 
   count(eval(EventCode=4624)) AS success_count 
   count(eval(EventCode=4625)) AS failed_count
   by host user
| where success_count>0 AND failed_count>10

if you have different data sources, adapt the search using the success and failed conditions of your data sources.

Ciao.

Giuseppe

0 Karma
Reply

sabkha
Loves-to-Learn
‎01-25-2024 02:06 AM

but this won't show sequence, how can we have a search that shows successful login after failed logins ( in sequence)

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...