Splunk Search
Highlighted

How do I edit my transaction search to find over 3 failed Windows logon events that happen within a 10 minute timespan?

Explorer

So I am working a bit with transaction and I am unable to verify how it should work. This is my search:

index = "myintestindex" sourcetype = "WinEventLog:Security" EventCode = 529 OR EventCode = 4625 AND Failure_Reason = "Unknown user name or bad password." | transaction maxspan=10m | table Account_Name, Failure_Reason

What I am looking for is a) to find all those EventCodes and FailureReason that happen on 10m span then b) to count that if there is over 3 of them on that specific 10min timespan. I dont want to end the search to AccountName being allowed (so no failure).

This is on the simplest form and I do not want to do it with alert/reporting - but with a search.

0 Karma
Highlighted

Re: How do I edit my transaction search to find over 3 failed Windows logon events that happen within a 10 minute timespan?

SplunkTrust
SplunkTrust

How about this

 index = "myintestindex" sourcetype = "WinEventLog:Security" EventCode = 529 OR EventCode = 4625 AND Failure_Reason = "Unknown user name or bad password." | transaction maxspan=10m Account_Name | table Account_Name Failure_Reason duration eventcount | where eventcount>=3

View solution in original post

0 Karma
Highlighted

Re: How do I edit my transaction search to find over 3 failed Windows logon events that happen within a 10 minute timespan?

Explorer

This forks. Thanks!

0 Karma