Splunk Search

How to check 30 minutes after an event in Splunk for a failed login attempt?

MM0071
Path Finder

I have a search in Splunk that returns events for failed logins. I want to be able to check 30 minutes after the event for that user to see if they didn't have a successful login. I'm struggling with the second part of this search. 

index=logins
| where AuthenticationResults="failed"
| eval failedLogin=strftime(_time,"%x %r")

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index ... AuthenticationResult="failed" or AuthenticationResult="success"
| sort 0 - _time
| eval successtime = if(AuthenticationResult=="success", _time, null())
| streamstats last(successtime) as successtime by user
| where AuthenticationResult=="failed" AND (isnull(successtime) OR successtime - _time > 1800)

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index ... AuthenticationResult="failed" or AuthenticationResult="success"
| sort 0 - _time
| eval successtime = if(AuthenticationResult=="success", _time, null())
| streamstats last(successtime) as successtime by user
| where AuthenticationResult=="failed" AND (isnull(successtime) OR successtime - _time > 1800)

MM0071
Path Finder

Thank you a lot for this! Can you please explain me the logic of the last line?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

There are 3 cases to consider: 1 OK and 2 not Ok - the last line attempts to find the 2 not OK

_timestatussuccess time
10:20success10:20
10:10failed10:20

log in failed but there was a successful log in within 30 minutes

_timestatussuccess time
09:40failed 

log in failed but no successful log in (success time is null)

_timestatussuccess time
08:20success08:20
07:10failed08:20

log in failed but successful log in was 70 minutes after failure

0 Karma

MM0071
Path Finder

Thank you greatly! This is what I was looking for! Do you know what I could do to only display failed in login attempts for users who did not authenticate after the 30 minutes? Would it be as simple as changing AuthenticationResult to "failure"?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

That is what the where command currently does.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...