I am trying to create an alert that triggers when a certain number of failed logins are reported in a 5 minute time period.
Specifically, when a given user fails to login 3 successive times without a successful login in the next login attempt I want the alert to fire and list the failed login attempts (user and _time ).
1) events below trigger alert
user time login attempt status
smith 12:01 failed
smith 12:03 failed
smith 12:04 failed
2) below events will NOT trigger alert since the last event is a successful login
user time login attempt status
smith 12:01 failed
smith 12:02 failed
smith 12:03 failed
smith 12:04 succeeded
how do i create a splunk query(using the transaction command presumably) to identify user login attempts that meet the trigger condition?
Something like
| transaction user startswith="login=failed" endswith="login=succeeded" maxspan=5m maxevents=4 keepevicted=true
| where closed_txn == 0
Hi @pc1234
Here's a run anywhere example showing you a method to do this...
| makeresults | eval _raw="user,login_attempt_status
smith,failed
smith,failed
smith,succeeded
smith,failed
jones,failed
jones,failed
jones,succeeded
smith,failed
smith,failed
smith,failed
smith,failed"
| multikv forceheader=1 | streamstats count | eval _time=_time+(count*60)
| sort _time
| table _time user login_attempt_status
``` ^^^ above just creates dummy events ^^^ ```
| sort user _time ``` events need to be sorted by user and _time for following streamstats command to work ```
| streamstats reset_on_change=true window=3 count BY user login_attempt_status ``` count previous 3 login_attempt_status and reset count on group by changes ```
| stats max(_time) AS _time latest(*) AS * BY user ``` what's the latest ```
| where count=3 AND login_attempt_status="failed" ``` alert on this condition ```
Hope that helps