Splunk Search

How to Table username if two action at the same time

marco_massari11
Communicator

Hi,

I'm looking for users that login into an application and reset the password at the same time . The logs involved are like this:

 

Login:

1.1.1.1 - - [31/May/2022:11:15:03 +0200] "POST /servlet/Login HTTP/1.1" 200.....

 

Pwd Change:

1.1.1.1 - - [31/May/2022:11:15:03 +0200] "GET /PasswordChange/ HTTP/1.1" 200 .......

 

IP: 1.1.1.1

action : /servlet/Login, /PasswordChange

 

Ip and action are already extracted, So I need something like if IP1=IP2 and time1=time2 and action1=login and action2=pwdchange.

 

Thanks in advance!

 

Labels (6)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @marco_massari11,

let me understand you want to know if there are IPs that made login and password change at the same time?

is it possible?

Anyway, you should use eval and stats, something like this:

index=your_index ("POST /servlet/Login HTTP/1.1" OR PasswordChange)
| eval kind=if(searchmatch("Login"),"Login","PasswordChange)
| stats dc(_time) AS dc_time dc(kind) AS dc_kind values(kind) AS kind BY IP

then analyzing resuslt you can make the conditions, e.g.:

| where dc_kind>2 AND dc_time=1

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @marco_massari11,

let me understand you want to know if there are IPs that made login and password change at the same time?

is it possible?

Anyway, you should use eval and stats, something like this:

index=your_index ("POST /servlet/Login HTTP/1.1" OR PasswordChange)
| eval kind=if(searchmatch("Login"),"Login","PasswordChange)
| stats dc(_time) AS dc_time dc(kind) AS dc_kind values(kind) AS kind BY IP

then analyzing resuslt you can make the conditions, e.g.:

| where dc_kind>2 AND dc_time=1

Ciao.

Giuseppe

marco_massari11
Communicator

Hi Giuseppe,

yes it's possible and your query is exactly what I need, but I have a problem because it's possible to have many events with login and reset at different times, like this:

1.1.1.1 - - [31/May/2022:09:46:48 +0200] "POST /PasswordChange/ HTTP/1.1" 200...

1.1.1.1 - - [31/May/2022:09:46:22 +0200] "POST /PasswordChange/ HTTP/1.1" 200...

1.1.1.1 - - [31/May/2022:09:38:39 +0200] "GET /PasswordChange/ HTTP/1.1" 200...

1.1.1.1 - - [31/May/2022:09:38:39 +0200] "GET /servlet/Login HTTP/1.1"....

So the 2 events at 09:38:39 should be appear in the table but it's not because the dc_time is equal to 3 cause events above

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @marco_massari11,

Let me understand: if there's anothe chang password after few time the result must be excluded?

what's the condition to implement:

more events with the same time and different kind? or what else?

I suppose that you understood the approach, what's the condition to implement?

If you like, send me a message in italian.

Ciao.

Giuseppe

marco_massari11
Communicator

Ciao Giuseppe,

l'obiettivo finale sarebbe di individuare quando allo stesso istante, indipendentemente dall' ip, si presentano un evento di login e un cambio password, quindi gli altri eventi non rientrerebbero nella casistica. Una volta individuati i due eventi, metterei in una table il time e altre informazioni a me utili. Spero di aver chiarito lo scopo. Ti ringrazio molto per il tuo tempo

Grazie,

Marco

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @marco_massari11,

when I spoke of a message I meant i private message, but it's the same.

In this case you can test my approach because it should run for your requirement.

As I said, learn the approach and customize it for your need.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...