Splunk Search

How to Table username if two action at the same time

marco_massari11
Communicator

Hi,

I'm looking for users that login into an application and reset the password at the same time . The logs involved are like this:

 

Login:

1.1.1.1 - - [31/May/2022:11:15:03 +0200] "POST /servlet/Login HTTP/1.1" 200.....

 

Pwd Change:

1.1.1.1 - - [31/May/2022:11:15:03 +0200] "GET /PasswordChange/ HTTP/1.1" 200 .......

 

IP: 1.1.1.1

action : /servlet/Login, /PasswordChange

 

Ip and action are already extracted, So I need something like if IP1=IP2 and time1=time2 and action1=login and action2=pwdchange.

 

Thanks in advance!

 

Labels (6)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @marco_massari11,

let me understand you want to know if there are IPs that made login and password change at the same time?

is it possible?

Anyway, you should use eval and stats, something like this:

index=your_index ("POST /servlet/Login HTTP/1.1" OR PasswordChange)
| eval kind=if(searchmatch("Login"),"Login","PasswordChange)
| stats dc(_time) AS dc_time dc(kind) AS dc_kind values(kind) AS kind BY IP

then analyzing resuslt you can make the conditions, e.g.:

| where dc_kind>2 AND dc_time=1

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @marco_massari11,

let me understand you want to know if there are IPs that made login and password change at the same time?

is it possible?

Anyway, you should use eval and stats, something like this:

index=your_index ("POST /servlet/Login HTTP/1.1" OR PasswordChange)
| eval kind=if(searchmatch("Login"),"Login","PasswordChange)
| stats dc(_time) AS dc_time dc(kind) AS dc_kind values(kind) AS kind BY IP

then analyzing resuslt you can make the conditions, e.g.:

| where dc_kind>2 AND dc_time=1

Ciao.

Giuseppe

marco_massari11
Communicator

Hi Giuseppe,

yes it's possible and your query is exactly what I need, but I have a problem because it's possible to have many events with login and reset at different times, like this:

1.1.1.1 - - [31/May/2022:09:46:48 +0200] "POST /PasswordChange/ HTTP/1.1" 200...

1.1.1.1 - - [31/May/2022:09:46:22 +0200] "POST /PasswordChange/ HTTP/1.1" 200...

1.1.1.1 - - [31/May/2022:09:38:39 +0200] "GET /PasswordChange/ HTTP/1.1" 200...

1.1.1.1 - - [31/May/2022:09:38:39 +0200] "GET /servlet/Login HTTP/1.1"....

So the 2 events at 09:38:39 should be appear in the table but it's not because the dc_time is equal to 3 cause events above

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @marco_massari11,

Let me understand: if there's anothe chang password after few time the result must be excluded?

what's the condition to implement:

more events with the same time and different kind? or what else?

I suppose that you understood the approach, what's the condition to implement?

If you like, send me a message in italian.

Ciao.

Giuseppe

marco_massari11
Communicator

Ciao Giuseppe,

l'obiettivo finale sarebbe di individuare quando allo stesso istante, indipendentemente dall' ip, si presentano un evento di login e un cambio password, quindi gli altri eventi non rientrerebbero nella casistica. Una volta individuati i due eventi, metterei in una table il time e altre informazioni a me utili. Spero di aver chiarito lo scopo. Ti ringrazio molto per il tuo tempo

Grazie,

Marco

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @marco_massari11,

when I spoke of a message I meant i private message, but it's the same.

In this case you can test my approach because it should run for your requirement.

As I said, learn the approach and customize it for your need.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...