Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I aggregate individual searches into a single search?

jasperlee27
New Member
‎12-13-2016 11:22 PM

Hi.

My organization is looking at identifying individual users (UserID) who have failed authentication(logon) >5 times per day for >3 consecutive days straight.

I am able to get the individual days failed logins for a particular user, but how do I aggregate them in one search to create an alert?

I am currently using this search for a particular day.

index="myindex" | lookup agentlookup agent_ID as Agent | search Application=*  Reponse= Reject |stats count by UserID | where count > 5

How do I extrapolate it to find 3 consecutive days straight?

I have also tried to use

index="myindex"| lookup agentlookup agent_ID as Agent | search Application=* Response= Reject | stats count by UserID | where count > 3 | span=1d count by UserID

to no avail. Have tried reading the documentation, but do not get it.
Thanks in advance for the help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-14-2016 11:25 AM

Give this a try. Remove lookup (field agent was not used) and move search filters in base search. This will list all the UserID for the day where there where more than 5 login failures.

index="myindex" Application=* Response=Reject | bucket _time span=1d 
| stats count by UserID _time | eval flag=if(count>5,1,0) 
| streamstats window=3 sum(flag) as flag by UserID | where flag=3

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-14-2016 11:25 AM

Give this a try. Remove lookup (field agent was not used) and move search filters in base search. This will list all the UserID for the day where there where more than 5 login failures.

index="myindex" Application=* Response=Reject | bucket _time span=1d 
| stats count by UserID _time | eval flag=if(count>5,1,0) 
| streamstats window=3 sum(flag) as flag by UserID | where flag=3
0 Karma
Reply
Solved! Jump to solution

jasperlee27
New Member
‎12-15-2016 01:47 AM

Thank you. This worked perfectly! Also, is it possible to display more fields beside the data? (e.g Department, Head-of-Department involved).

The fields are already defined, but In which part do I insert the fields into the search?

Thanks in advance

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎12-14-2016 05:05 AM 
index="myindex" | lookup agentlookup agent_ID as Agent | search Application=* Reponse= Reject|bucket _time span=1d |stats count by UserID _time|where count>5|bucket _time span=3d|stats count as aggCount by UserID _time|where aggCount>3

try something like this.

0 Karma
Reply
Solved! Jump to solution

jasperlee27
New Member
‎12-15-2016 01:45 AM

Thank you! This works but it does not capture repeated occurences

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...