Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Table username if two action at the same time

marco_massari11
Communicator
‎05-31-2022 03:28 AM

Hi,

I'm looking for users that login into an application and reset the password at the same time . The logs involved are like this:

 

Login:

1.1.1.1 - - [31/May/2022:11:15:03 +0200] "POST /servlet/Login HTTP/1.1" 200.....

 

Pwd Change:

1.1.1.1 - - [31/May/2022:11:15:03 +0200] "GET /PasswordChange/ HTTP/1.1" 200 .......

 

IP: 1.1.1.1

action : /servlet/Login, /PasswordChange

 

Ip and action are already extracted, So I need something like if IP1=IP2 and time1=time2 and action1=login and action2=pwdchange.

 

Thanks in advance!

 

Labels (6)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 04:00 AM

Hi @marco_massari11,

let me understand you want to know if there are IPs that made login and password change at the same time?

is it possible?

Anyway, you should use eval and stats, something like this:

index=your_index ("POST /servlet/Login HTTP/1.1" OR PasswordChange)
| eval kind=if(searchmatch("Login"),"Login","PasswordChange)
| stats dc(_time) AS dc_time dc(kind) AS dc_kind values(kind) AS kind BY IP

then analyzing resuslt you can make the conditions, e.g.:

| where dc_kind>2 AND dc_time=1

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 04:00 AM

Hi @marco_massari11,

let me understand you want to know if there are IPs that made login and password change at the same time?

is it possible?

Anyway, you should use eval and stats, something like this:

index=your_index ("POST /servlet/Login HTTP/1.1" OR PasswordChange)
| eval kind=if(searchmatch("Login"),"Login","PasswordChange)
| stats dc(_time) AS dc_time dc(kind) AS dc_kind values(kind) AS kind BY IP

then analyzing resuslt you can make the conditions, e.g.:

| where dc_kind>2 AND dc_time=1

Ciao.

Giuseppe

Reply
Solved! Jump to solution

marco_massari11
Communicator
‎05-31-2022 05:36 AM

Hi Giuseppe,

yes it's possible and your query is exactly what I need, but I have a problem because it's possible to have many events with login and reset at different times, like this:

1.1.1.1 - - [31/May/2022:09:46:48 +0200] "POST /PasswordChange/ HTTP/1.1" 200...

1.1.1.1 - - [31/May/2022:09:46:22 +0200] "POST /PasswordChange/ HTTP/1.1" 200...

1.1.1.1 - - [31/May/2022:09:38:39 +0200] "GET /PasswordChange/ HTTP/1.1" 200...

1.1.1.1 - - [31/May/2022:09:38:39 +0200] "GET /servlet/Login HTTP/1.1"....

So the 2 events at 09:38:39 should be appear in the table but it's not because the dc_time is equal to 3 cause events above

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 05:50 AM

Hi @marco_massari11,

Let me understand: if there's anothe chang password after few time the result must be excluded?

what's the condition to implement:

more events with the same time and different kind? or what else?

I suppose that you understood the approach, what's the condition to implement?

If you like, send me a message in italian.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

marco_massari11
Communicator
‎05-31-2022 06:45 AM

Ciao Giuseppe,

l'obiettivo finale sarebbe di individuare quando allo stesso istante, indipendentemente dall' ip, si presentano un evento di login e un cambio password, quindi gli altri eventi non rientrerebbero nella casistica. Una volta individuati i due eventi, metterei in una table il time e altre informazioni a me utili. Spero di aver chiarito lo scopo. Ti ringrazio molto per il tuo tempo

Grazie,

Marco

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 07:02 AM

Hi @marco_massari11,

when I spoke of a message I meant i private message, but it's the same.

In this case you can test my approach because it should run for your requirement.

As I said, learn the approach and customize it for your need.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...