Splunk Search

How can I limit the results to only users that have more than 3 EventCode=4625?

AbelCruz
Path Finder

How can I limit the results to only users that have more than 3 EventCode=4625? I am trying to show only users that have more than 3 login failures within 5 minutes

EventCode=4625 user="*" | dedup user | timechart count

Tags (1)
0 Karma
1 Solution

davpx
Communicator
EventCode=4625 user="*" | bucket _time span=5m | stats count by user _time | where count>3

View solution in original post

0 Karma

mayurr98
Super Champion

Hey I think you are missing out where function of timechart command.

You can try something like this

EventCode=4625 user="*" 
| timechart span=5m count by user WHERE count > 3

for more info refer this link:
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Timechart#Where_clause_Examples

let me know if this helps!

0 Karma

adonio
Ultra Champion

hello there,

looking at those windows events, consider filtering out accounts that ends with "$"
also, the stats command in bucket will work great if the 3 events falls exactly in the 5 minutes bucket. however if for example i have 2 failed logins on 14:44:57 and 14:44:58 and then another 2 failed logins on 14:45:02 and 14:45:04 the | where clause will not apply.
i think | streamstats time_window=5m is a better option.
try the following search, and add your | where count>3 clause after you see some results to test (you can add | timechart max(count) with the right span, at the end if you would like to visualize the data.
examples for search:

index=wineventlog source="WinEventLog:Security" EventCode=4625 Account_Name=* action=failure
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) 
| eval User=lower(User) 
| search NOT User=*$ 
| bucket _time span=5m 
| streamstats time_window=5m count by user _time 
| timechart span=5m max(count) as failed_login by user

OR

index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=* action=success 
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) 
| eval User=lower(User) 
| search NOT User=*$ 
| bucket _time span=5m 
| streamstats time_window=5m count by user _time 
| table _time user count

hope it helps

0 Karma

davpx
Communicator
EventCode=4625 user="*" | bucket _time span=5m | stats count by user _time | where count>3
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...