Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Table username if two action at the same time

marco_massari11
Communicator
‎05-31-2022 03:28 AM

Hi,

I'm looking for users that login into an application and reset the password at the same time . The logs involved are like this:

 

Login:

1.1.1.1 - - [31/May/2022:11:15:03 +0200] "POST /servlet/Login HTTP/1.1" 200.....

 

Pwd Change:

1.1.1.1 - - [31/May/2022:11:15:03 +0200] "GET /PasswordChange/ HTTP/1.1" 200 .......

 

IP: 1.1.1.1

action : /servlet/Login, /PasswordChange

 

Ip and action are already extracted, So I need something like if IP1=IP2 and time1=time2 and action1=login and action2=pwdchange.

 

Thanks in advance!

 

Labels (6)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 04:00 AM

Hi @marco_massari11,

let me understand you want to know if there are IPs that made login and password change at the same time?

is it possible?

Anyway, you should use eval and stats, something like this:

index=your_index ("POST /servlet/Login HTTP/1.1" OR PasswordChange)
| eval kind=if(searchmatch("Login"),"Login","PasswordChange)
| stats dc(_time) AS dc_time dc(kind) AS dc_kind values(kind) AS kind BY IP

then analyzing resuslt you can make the conditions, e.g.:

| where dc_kind>2 AND dc_time=1

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 04:00 AM

Hi @marco_massari11,

let me understand you want to know if there are IPs that made login and password change at the same time?

is it possible?

Anyway, you should use eval and stats, something like this:

index=your_index ("POST /servlet/Login HTTP/1.1" OR PasswordChange)
| eval kind=if(searchmatch("Login"),"Login","PasswordChange)
| stats dc(_time) AS dc_time dc(kind) AS dc_kind values(kind) AS kind BY IP

then analyzing resuslt you can make the conditions, e.g.:

| where dc_kind>2 AND dc_time=1

Ciao.

Giuseppe

Reply
Solved! Jump to solution

marco_massari11
Communicator
‎05-31-2022 05:36 AM

Hi Giuseppe,

yes it's possible and your query is exactly what I need, but I have a problem because it's possible to have many events with login and reset at different times, like this:

1.1.1.1 - - [31/May/2022:09:46:48 +0200] "POST /PasswordChange/ HTTP/1.1" 200...

1.1.1.1 - - [31/May/2022:09:46:22 +0200] "POST /PasswordChange/ HTTP/1.1" 200...

1.1.1.1 - - [31/May/2022:09:38:39 +0200] "GET /PasswordChange/ HTTP/1.1" 200...

1.1.1.1 - - [31/May/2022:09:38:39 +0200] "GET /servlet/Login HTTP/1.1"....

So the 2 events at 09:38:39 should be appear in the table but it's not because the dc_time is equal to 3 cause events above

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 05:50 AM

Hi @marco_massari11,

Let me understand: if there's anothe chang password after few time the result must be excluded?

what's the condition to implement:

more events with the same time and different kind? or what else?

I suppose that you understood the approach, what's the condition to implement?

If you like, send me a message in italian.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

marco_massari11
Communicator
‎05-31-2022 06:45 AM

Ciao Giuseppe,

l'obiettivo finale sarebbe di individuare quando allo stesso istante, indipendentemente dall' ip, si presentano un evento di login e un cambio password, quindi gli altri eventi non rientrerebbero nella casistica. Una volta individuati i due eventi, metterei in una table il time e altre informazioni a me utili. Spero di aver chiarito lo scopo. Ti ringrazio molto per il tuo tempo

Grazie,

Marco

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 07:02 AM

Hi @marco_massari11,

when I spoke of a message I meant i private message, but it's the same.

In this case you can test my approach because it should run for your requirement.

As I said, learn the approach and customize it for your need.

Ciao.

Giuseppe

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...