Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I make a Splunk query that generates stats ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bm1391
New Member
12-17-2018
10:07 AM
Here is my current query:
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625 | rex ".*Account\sName:\s+(?<account>\S+)" | eval Date=strftime(_time, "%Y/%m/%d")|stats count by Date,account,host|eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean | eval iqr=p70-p30 | eval xplier=2 | eval low_lim=median-(iqr*xplier) | eval high_lim=median + (iqr*xplier) | eval anamoly = if(count<low_lim OR count>high_lim, count,0)
I am trying to get all failed logons grouped by account name on a daily basis, and generate statistics so that future behavior can be identified as anomalous. This query "works", but this part of the query...
|eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean | eval iqr=p70-p30 | eval xplier=2 | eval low_lim=median-(iqr*xplier) | eval high_lim=median + (iqr*xplier) | eval anamoly = if(count<low_lim OR count>high_lim, count,0)
...generates the stats on all the accounts and not only on the specific account.
Early on in the query, I group it by account name, Date and host, but after eventstats, it generates statistics on all the accounts as if they are the same. I think this is very easy to fix but I can't seem to figure it out.
Thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron
Motivator
12-17-2018
11:48 AM
you should just be able to add by account at the end of your eventstats
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625
| rex ".*Account\sName:\s+(?<account>\S+)"
| eval Date=strftime(_time, "%Y/%m/%d")
| stats count by Date,account,host
| eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean by account
| eval iqr=p70-p30
| eval xplier=2
| eval low_lim=median-(iqr*xplier)
| eval high_lim=median + (iqr*xplier)
| eval anamoly = if(count<low_lim OR count>high_lim, count,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron
Motivator
12-17-2018
11:48 AM
you should just be able to add by account at the end of your eventstats
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625
| rex ".*Account\sName:\s+(?<account>\S+)"
| eval Date=strftime(_time, "%Y/%m/%d")
| stats count by Date,account,host
| eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean by account
| eval iqr=p70-p30
| eval xplier=2
| eval low_lim=median-(iqr*xplier)
| eval high_lim=median + (iqr*xplier)
| eval anamoly = if(count<low_lim OR count>high_lim, count,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bm1391
New Member
12-17-2018
12:25 PM
Yup that worked! Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bm1391
New Member
12-17-2018
10:23 AM
Switch the query to:
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625 | rex ".*Account\sName:\s+(?\S+)" | eval Date=strftime(_time, "%Y/%m/%d")|stats count by Date,account,host|eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean **by account** | eval iqr=p70-p30 | eval xplier=2 | eval low_lim=median-(iqr*xplier) | eval high_lim=median + (iqr*xplier) | eval anamoly = if(counthigh_lim, count,0)
and It works...
Get Updates on the Splunk Community!
Building Reliable Asset and Identity Frameworks in Splunk ES
Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...
Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting
For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...
Automatic Discovery Part 3: Practical Use Cases
If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...
