Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I edit my transaction search to find over 3 failed Windows logon events that happen within a 10 minute timespan?

strangelaw
Explorer
‎01-27-2016 08:43 AM

So I am working a bit with transaction and I am unable to verify how it should work. This is my search:

index = "myintestindex" sourcetype = "WinEventLog:Security" EventCode = 529 OR EventCode = 4625 AND Failure_Reason = "Unknown user name or bad password." | transaction maxspan=10m | table Account_Name, Failure_Reason

What I am looking for is a) to find all those EventCodes and Failure_Reason that happen on 10m span then b) to count that if there is over 3 of them on that specific 10min timespan. I dont want to end the search to Account_Name being allowed (so no failure).

This is on the simplest form and I do not want to do it with alert/reporting - but with a search.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-27-2016 09:40 AM

How about this

 index = "myintestindex" sourcetype = "WinEventLog:Security" EventCode = 529 OR EventCode = 4625 AND Failure_Reason = "Unknown user name or bad password." | transaction maxspan=10m Account_Name | table Account_Name Failure_Reason duration eventcount | where eventcount>=3

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-27-2016 09:40 AM

How about this

 index = "myintestindex" sourcetype = "WinEventLog:Security" EventCode = 529 OR EventCode = 4625 AND Failure_Reason = "Unknown user name or bad password." | transaction maxspan=10m Account_Name | table Account_Name Failure_Reason duration eventcount | where eventcount>=3
0 Karma
Reply
Solved! Jump to solution

strangelaw
Explorer
‎04-05-2016 08:08 AM

This forks. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...