Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I make a Splunk query that generates stats ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bm1391
New Member
12-17-2018
10:07 AM
Here is my current query:
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625 | rex ".*Account\sName:\s+(?<account>\S+)" | eval Date=strftime(_time, "%Y/%m/%d")|stats count by Date,account,host|eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean | eval iqr=p70-p30 | eval xplier=2 | eval low_lim=median-(iqr*xplier) | eval high_lim=median + (iqr*xplier) | eval anamoly = if(count<low_lim OR count>high_lim, count,0)
I am trying to get all failed logons grouped by account name on a daily basis, and generate statistics so that future behavior can be identified as anomalous. This query "works", but this part of the query...
|eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean | eval iqr=p70-p30 | eval xplier=2 | eval low_lim=median-(iqr*xplier) | eval high_lim=median + (iqr*xplier) | eval anamoly = if(count<low_lim OR count>high_lim, count,0)
...generates the stats on all the accounts and not only on the specific account.
Early on in the query, I group it by account name, Date and host, but after eventstats, it generates statistics on all the accounts as if they are the same. I think this is very easy to fix but I can't seem to figure it out.
Thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron
Motivator
12-17-2018
11:48 AM
you should just be able to add by account at the end of your eventstats
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625
| rex ".*Account\sName:\s+(?<account>\S+)"
| eval Date=strftime(_time, "%Y/%m/%d")
| stats count by Date,account,host
| eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean by account
| eval iqr=p70-p30
| eval xplier=2
| eval low_lim=median-(iqr*xplier)
| eval high_lim=median + (iqr*xplier)
| eval anamoly = if(count<low_lim OR count>high_lim, count,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron
Motivator
12-17-2018
11:48 AM
you should just be able to add by account at the end of your eventstats
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625
| rex ".*Account\sName:\s+(?<account>\S+)"
| eval Date=strftime(_time, "%Y/%m/%d")
| stats count by Date,account,host
| eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean by account
| eval iqr=p70-p30
| eval xplier=2
| eval low_lim=median-(iqr*xplier)
| eval high_lim=median + (iqr*xplier)
| eval anamoly = if(count<low_lim OR count>high_lim, count,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bm1391
New Member
12-17-2018
12:25 PM
Yup that worked! Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bm1391
New Member
12-17-2018
10:23 AM
Switch the query to:
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625 | rex ".*Account\sName:\s+(?\S+)" | eval Date=strftime(_time, "%Y/%m/%d")|stats count by Date,account,host|eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean **by account** | eval iqr=p70-p30 | eval xplier=2 | eval low_lim=median-(iqr*xplier) | eval high_lim=median + (iqr*xplier) | eval anamoly = if(counthigh_lim, count,0)
and It works...
Get Updates on the Splunk Community!
Changes to Splunk Instructor-Led Training Completion Criteria
We’re excited to share an update to our instructor-led training program that enhances the learning experience ...
Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!
❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...
Preparing your Splunk Environment for OpenSSL3
The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...
