Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to Table username if two action at the same time

marco_massari11
Communicator
‎05-31-2022 03:28 AM

Hi,

I'm looking for users that login into an application and reset the password at the same time . The logs involved are like this:

 

Login:

1.1.1.1 - - [31/May/2022:11:15:03 +0200] "POST /servlet/Login HTTP/1.1" 200.....

 

Pwd Change:

1.1.1.1 - - [31/May/2022:11:15:03 +0200] "GET /PasswordChange/ HTTP/1.1" 200 .......

 

IP: 1.1.1.1

action : /servlet/Login, /PasswordChange

 

Ip and action are already extracted, So I need something like if IP1=IP2 and time1=time2 and action1=login and action2=pwdchange.

 

Thanks in advance!

 

Labels (6)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 04:00 AM

Hi @marco_massari11,

let me understand you want to know if there are IPs that made login and password change at the same time?

is it possible?

Anyway, you should use eval and stats, something like this:

index=your_index ("POST /servlet/Login HTTP/1.1" OR PasswordChange)
| eval kind=if(searchmatch("Login"),"Login","PasswordChange)
| stats dc(_time) AS dc_time dc(kind) AS dc_kind values(kind) AS kind BY IP

then analyzing resuslt you can make the conditions, e.g.:

| where dc_kind>2 AND dc_time=1

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 04:00 AM

Hi @marco_massari11,

let me understand you want to know if there are IPs that made login and password change at the same time?

is it possible?

Anyway, you should use eval and stats, something like this:

index=your_index ("POST /servlet/Login HTTP/1.1" OR PasswordChange)
| eval kind=if(searchmatch("Login"),"Login","PasswordChange)
| stats dc(_time) AS dc_time dc(kind) AS dc_kind values(kind) AS kind BY IP

then analyzing resuslt you can make the conditions, e.g.:

| where dc_kind>2 AND dc_time=1

Ciao.

Giuseppe

Reply
Solved! Jump to solution

marco_massari11
Communicator
‎05-31-2022 05:36 AM

Hi Giuseppe,

yes it's possible and your query is exactly what I need, but I have a problem because it's possible to have many events with login and reset at different times, like this:

1.1.1.1 - - [31/May/2022:09:46:48 +0200] "POST /PasswordChange/ HTTP/1.1" 200...

1.1.1.1 - - [31/May/2022:09:46:22 +0200] "POST /PasswordChange/ HTTP/1.1" 200...

1.1.1.1 - - [31/May/2022:09:38:39 +0200] "GET /PasswordChange/ HTTP/1.1" 200...

1.1.1.1 - - [31/May/2022:09:38:39 +0200] "GET /servlet/Login HTTP/1.1"....

So the 2 events at 09:38:39 should be appear in the table but it's not because the dc_time is equal to 3 cause events above

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 05:50 AM

Hi @marco_massari11,

Let me understand: if there's anothe chang password after few time the result must be excluded?

what's the condition to implement:

more events with the same time and different kind? or what else?

I suppose that you understood the approach, what's the condition to implement?

If you like, send me a message in italian.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

marco_massari11
Communicator
‎05-31-2022 06:45 AM

Ciao Giuseppe,

l'obiettivo finale sarebbe di individuare quando allo stesso istante, indipendentemente dall' ip, si presentano un evento di login e un cambio password, quindi gli altri eventi non rientrerebbero nella casistica. Una volta individuati i due eventi, metterei in una table il time e altre informazioni a me utili. Spero di aver chiarito lo scopo. Ti ringrazio molto per il tuo tempo

Grazie,

Marco

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 07:02 AM

Hi @marco_massari11,

when I spoke of a message I meant i private message, but it's the same.

In this case you can test my approach because it should run for your requirement.

As I said, learn the approach and customize it for your need.

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...