Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I limit the results to only users that have more than 3 EventCode=4625?

AbelCruz
Path Finder
‎02-16-2018 08:48 AM

How can I limit the results to only users that have more than 3 EventCode=4625? I am trying to show only users that have more than 3 login failures within 5 minutes

EventCode=4625 user="*" | dedup user | timechart count

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

davpx
Communicator
‎02-16-2018 09:06 AM 
EventCode=4625 user="*" | bucket _time span=5m | stats count by user _time | where count>3

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎02-16-2018 08:38 PM

Hey I think you are missing out where function of timechart command.

You can try something like this

EventCode=4625 user="*" 
| timechart span=5m count by user WHERE count > 3

for more info refer this link:
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Timechart#Where_clause_Examples

let me know if this helps!

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎02-16-2018 12:29 PM

hello there,

looking at those windows events, consider filtering out accounts that ends with "$"
also, the stats command in bucket will work great if the 3 events falls exactly in the 5 minutes bucket. however if for example i have 2 failed logins on 14:44:57 and 14:44:58 and then another 2 failed logins on 14:45:02 and 14:45:04 the | where clause will not apply.
i think | streamstats time_window=5m is a better option.
try the following search, and add your | where count>3 clause after you see some results to test (you can add | timechart max(count) with the right span, at the end if you would like to visualize the data.
examples for search:

index=wineventlog source="WinEventLog:Security" EventCode=4625 Account_Name=* action=failure
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) 
| eval User=lower(User) 
| search NOT User=*$ 
| bucket _time span=5m 
| streamstats time_window=5m count by user _time 
| timechart span=5m max(count) as failed_login by user

OR 

index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=* action=success 
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) 
| eval User=lower(User) 
| search NOT User=*$ 
| bucket _time span=5m 
| streamstats time_window=5m count by user _time 
| table _time user count

hope it helps

0 Karma
Reply
Solved! Jump to solution
Solution

davpx
Communicator
‎02-16-2018 09:06 AM 
EventCode=4625 user="*" | bucket _time span=5m | stats count by user _time | where count>3
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...