Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Display Each Event of User with "X" Number of Failed Logins

SplunkLunk
Path Finder
‎04-05-2017 08:18 AM

Good morning,

I have the following search:

index=[my index] source=[my source] sourcetype=[my sourcetype] event=login_fail|stats count as Count values(event) as Event values(ip) as "IP Address" values(url_60) as "URL" by user| where Count > 5|sort -Count|rename user as User

Right now it displays a summary of the events. What I'd really like to do is determine every user that had more than five failed logins and display each event on a separate line. I'll add a timestamp as well to the alert/events. Any advice would be appreciated. Thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎04-05-2017 08:48 AM

Try like this. Using eventstats instead of stats( which does the aggregation) so that all actual events are retained. You probably would need to include appropriate table command in case you want a table visualization else, you could use Event visualization with following

index=[my index] source=[my source] sourcetype=[my sourcetype] event=login_fail|eventstats count as Count by user| where Count > 5|sort -Count

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-05-2017 08:56 AM

We could do this with eventstats and show the raw events but I think the problem that you really have is that you are using values(event) instead of list(_raw); try this:

index=[my index] source=[my source] sourcetype=[my sourcetype] event=login_fail
| stats count AS Count list(_raw) AS Events values(ip) AS IPs values(url_60) AS "URL" BY user
| where Count > 5|sort -Count|rename user as User
0 Karma
Reply
Solved! Jump to solution

SplunkLunk
Path Finder
‎04-05-2017 09:09 AM

This appears to give me all the failed_login events for the day, not just any user greater than five. I cut and paste your suggestion to make sure I wasn't making a typo.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-05-2017 11:36 AM

That seems impossible; the | where Count > 5 will unquestionably limit the ending result set.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎04-05-2017 08:48 AM

Try like this. Using eventstats instead of stats( which does the aggregation) so that all actual events are retained. You probably would need to include appropriate table command in case you want a table visualization else, you could use Event visualization with following

index=[my index] source=[my source] sourcetype=[my sourcetype] event=login_fail|eventstats count as Count by user| where Count > 5|sort -Count
0 Karma
Reply
Solved! Jump to solution

SplunkLunk
Path Finder
‎04-05-2017 08:54 AM

Thank you. That looks like what I need. Much appreciated. I did not know about the eventstats command. Makes sense given them name.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...