Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Filter on a subsearch

acwardjr
Engager
‎06-23-2014 06:39 PM

Hello all,

I am trying to compare logins between two systems in our environment where a user failed login to one, but successfully logged into another.

index=login result=allow server_region=us [search failed_password us_login | rename us_accountid as accountid | table accountid] | stats count, values(accountid) as Accounts by ip | where count>2

First, in my inner query I looked for all failed logins via password in the US region failed_password us_login and then rename us_accountid to accountid, since once system calls them us_accountid, and the other just calls them accountid. I then pass those results to the outer query.

I currently have the stats and where clause on the outer query, but I would like them on the inner query so I can't find anyone who fails 3 or more times on a password and THEN gets a success on the other system (And not just anyone who fails, but makes 3 or more logins). However you can't "stats" on an inner query as the results cannot be tabled out and passed to the outer query.

Thoughts?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-23-2014 08:38 PM

Actually, you can do anything you want in a subsearch, as long as you understand what you are passing back to the outer search:

index=login result=allow server_region=us 
    [ search failed_password us_login | stats count by us_accountid 
    | where count > 2 | rename us_accountid as accountid
    | fields accountid ]
| stats count as SuccessfulLogins, values(accountid) as Accounts by ip

You should realize that in both the original search and the search that I have presented here, the count represents successful logins, not failed logins.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-23-2014 08:38 PM

Actually, you can do anything you want in a subsearch, as long as you understand what you are passing back to the outer search:

index=login result=allow server_region=us 
    [ search failed_password us_login | stats count by us_accountid 
    | where count > 2 | rename us_accountid as accountid
    | fields accountid ]
| stats count as SuccessfulLogins, values(accountid) as Accounts by ip

You should realize that in both the original search and the search that I have presented here, the count represents successful logins, not failed logins.

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...