Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a search to make a table of count of failed logins by user with fields in other columns?

supreetsingh75
New Member
‎01-24-2018 07:56 AM

A table with the count of failed login by a user for a day over the period of 7 days with the columns date, sourceip, destination ip, user and count. for eg.

date sourceip destinationip user count
Jan-18-2018 10.12.13.14 10.12.2.3 rolland 5
Jan-19-2018 10.12.13.14 10.12.2.3 rolland 12

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎01-24-2018 01:50 PM

Make sure that the time field is extracted, then you can use a bucket _time and sum up the count per user.

  index=myindex source=mytable | bucket _time span=24h | stats sum(count) by _time user

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎01-24-2018 01:50 PM

Make sure that the time field is extracted, then you can use a bucket _time and sum up the count per user.

  index=myindex source=mytable | bucket _time span=24h | stats sum(count) by _time user
0 Karma
Reply
Solved! Jump to solution

supreetsingh75
New Member
‎01-29-2018 07:36 AM

Bucket_time did the trick. Thank you so much!

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎01-24-2018 09:40 AM

From what data or table you want to create search to get count of failed logins ?

0 Karma
Reply
Solved! Jump to solution

supreetsingh75
New Member
‎01-24-2018 12:07 PM

It's a custom index that logs failed logins as actions.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-24-2018 12:28 PM

Does all events have all the fields that you want to show? If yes, you can do something like this

your base search
| eval date =strftime(_time,"%b-%d-%Y")
| stats count by date sourceip destinationip user
0 Karma
Reply
Solved! Jump to solution

supreetsingh75
New Member
‎01-24-2018 01:11 PM

this is great but I need this query to produce a report that shows a count of user login failure for 24 hours over a period of 7 days. See my output

date sourceip destinationip user count
Jan-18-2018 10.12.13.14 10.12.2.3 rolland 5
Jan-19-2018 10.12.13.14 10.12.2.3 rolland 12

Your query does not show me the same output

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎01-24-2018 01:32 PM

@supreetsingh75, what is the event logged during a failed login (request/response)? Please mock/anonymize any sensitive data before posting the events.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...