Solved: How to display the number of failures, plus earlie...

mikefoti · ‎01-24-2023

Given web access log data with following fields:

_time, http_status, src_ip, dest_ip

After a bruteforce attack on a login page, where http_status of 200=success and 401=failure, how can I display the number of failures, plus earliest(_time) and latest(_time) by src_ip

I've tried using streamstats like below, but do not get what I'm looking for

index=myIndex AND status=*
| table _time status src_ip dest_ip
| sort + _time
| streamstats reset_on_change=true count earliest(_time) AS ET latest(_time) AS LT by status
| convert ctime(ET) ctime(LT)

ITWhisperer · ‎01-24-2023

index=myIndex AND status=*
| table _time status src_ip dest_ip
| sort + _time
| stats count(eval(status="401")) as count earliest(_time) AS ET latest(_time) AS LT by src_ip

View solution in original post

ITWhisperer · ‎01-24-2023

index=myIndex AND status=*
| table _time status src_ip dest_ip
| sort + _time
| stats count(eval(status="401")) as count earliest(_time) AS ET latest(_time) AS LT by src_ip

How to display the number of failures, plus earliest(_time) and latest(_time) by src_ip?

stats

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...