Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I limit the results to only users that have more than 3 EventCode=4625?

AbelCruz
Path Finder
‎02-16-2018 08:48 AM

How can I limit the results to only users that have more than 3 EventCode=4625? I am trying to show only users that have more than 3 login failures within 5 minutes

EventCode=4625 user="*" | dedup user | timechart count

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

davpx
Communicator
‎02-16-2018 09:06 AM 
EventCode=4625 user="*" | bucket _time span=5m | stats count by user _time | where count>3

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎02-16-2018 08:38 PM

Hey I think you are missing out where function of timechart command.

You can try something like this

EventCode=4625 user="*" 
| timechart span=5m count by user WHERE count > 3

for more info refer this link:
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Timechart#Where_clause_Examples

let me know if this helps!

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎02-16-2018 12:29 PM

hello there,

looking at those windows events, consider filtering out accounts that ends with "$"
also, the stats command in bucket will work great if the 3 events falls exactly in the 5 minutes bucket. however if for example i have 2 failed logins on 14:44:57 and 14:44:58 and then another 2 failed logins on 14:45:02 and 14:45:04 the | where clause will not apply.
i think | streamstats time_window=5m is a better option.
try the following search, and add your | where count>3 clause after you see some results to test (you can add | timechart max(count) with the right span, at the end if you would like to visualize the data.
examples for search:

index=wineventlog source="WinEventLog:Security" EventCode=4625 Account_Name=* action=failure
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) 
| eval User=lower(User) 
| search NOT User=*$ 
| bucket _time span=5m 
| streamstats time_window=5m count by user _time 
| timechart span=5m max(count) as failed_login by user

OR 

index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=* action=success 
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) 
| eval User=lower(User) 
| search NOT User=*$ 
| bucket _time span=5m 
| streamstats time_window=5m count by user _time 
| table _time user count

hope it helps

0 Karma
Reply
Solved! Jump to solution
Solution

davpx
Communicator
‎02-16-2018 09:06 AM 
EventCode=4625 user="*" | bucket _time span=5m | stats count by user _time | where count>3
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...