Splunk Search

Dedup using time range

jhillenburg
Path Finder

Hi. I am creating a search and dashboard to display our last ten locked account events. This seems to work well as I have it configured. One of the things I am doing is using the dedup command to remove extra occurrences of an event, given that the lockout events often show up on multiple Active Directory domain controllers (outlined in green below). I am using the "Account_Name" and _time values for this purpose. This works well except where the events are on different domain controllers at different times. In this case, I would prefer to dedup using a window of time (say 5 seconds), but I cannot find how to do this. Shown in the example below are some entries outlined in red, where they are the same user but at different times, and I would want to be careful to not exclude those events, so a straight dedup does not help.

Code:

EventCodeDescription="A user account was locked out" Account_Name=* NOT "Guest" Account_Domain=* Caller_Computer_Name=* dvc=* source="WinEventLog:Security" _time=* | eval Account_Name=mvindex(Account_Name,1)  | dedup Account_Name _time  | rename dvc AS "Domain Controller" | rename Account_Domain AS "Domain Name" | rename Caller_Computer_Name AS "Client Host" | rename Account_Name AS "Account Name" | table _time "Account Name" "Client Host" "Domain Controller" "Domain Name" | sort -_time

Thanks.

EDIT: Apparently, I am not allowed to attach images. Please see the Evernote link below:

https://www.evernote.com/shard/s26/sh/9082054d-788a-491f-92c2-66718d443740/cc2de893310866299d2919834...

Tags (3)
1 Solution

sideview
SplunkTrust
SplunkTrust

using the bin command (aka bucket), and then doing dedup _time "Domain Controller" is a good solution.

One problem though with using bin here though is that you're going to have a certain amount of cases where even though the duplicate events are only 5 seconds away, they happen to cross one of the arbitrary bucketing boundaries. To take a worst case scenario if the user gets locked out at 11:59:57 PM on one DC and 12:00:02 AM on another dc.

| bin _time span=5sec | dedup _time "Domain Controller" 

wont dedup them. Nor will any other reasonable arguments to bin.

An odd solution that seems to avoid the problematic cases that I can think of, would be

| bin _time span=5sec | eval _time=_time+10 | bin _time span=10sec | dedup _time "Domain Controller" 

View solution in original post

sideview
SplunkTrust
SplunkTrust

using the bin command (aka bucket), and then doing dedup _time "Domain Controller" is a good solution.

One problem though with using bin here though is that you're going to have a certain amount of cases where even though the duplicate events are only 5 seconds away, they happen to cross one of the arbitrary bucketing boundaries. To take a worst case scenario if the user gets locked out at 11:59:57 PM on one DC and 12:00:02 AM on another dc.

| bin _time span=5sec | dedup _time "Domain Controller" 

wont dedup them. Nor will any other reasonable arguments to bin.

An odd solution that seems to avoid the problematic cases that I can think of, would be

| bin _time span=5sec | eval _time=_time+10 | bin _time span=10sec | dedup _time "Domain Controller" 

jhillenburg
Path Finder

What about a way, for the purposes of deduplication (though not display), to round to the nearest one minute? I'm really talking about rounding, not bucketing, which are different things.

0 Karma

sideview
SplunkTrust
SplunkTrust

This is exactly what the bin command does. bin _time span=1m will round down to the nearest minute. I prefer to use it as "bin" rather than the command alias "bucket", partly for this reason. The two functions are often conflated, because you often see the bin command used with stats such as " | bin _time span=1m | stats count by _time"

0 Karma

trsavela
Path Finder
0 Karma

jhillenburg
Path Finder

That certainly groups them together, though if an administrator were trying to search for the events in the logs, they would not find a precise match. Having a dedup threshold would achieve the most desirable behavior.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...