Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display the number of failures, plus earliest(_time) and latest(_time) by src_ip?

mikefoti
Communicator
‎01-24-2023 11:01 AM

Given web access log data with following fields:

_time,  http_status, src_ip, dest_ip

After a bruteforce attack on a login page, where http_status of 200=success and 401=failure, how can I display the number of failures, plus earliest(_time) and latest(_time) by src_ip

I've tried using streamstats like below, but do not get what I'm looking for

index=myIndex AND status=*
| table _time status src_ip dest_ip
| sort + _time
| streamstats reset_on_change=true count earliest(_time) AS ET latest(_time) AS LT by status
| convert ctime(ET) ctime(LT)

Labels (1)
Labels
0 Karma
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-24-2023 11:23 AM 
index=myIndex AND status=*
| table _time status src_ip dest_ip
| sort + _time
| stats count(eval(status="401")) as count earliest(_time) AS ET latest(_time) AS LT by src_ip

View solution in original post

0 Karma
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-24-2023 11:23 AM 
index=myIndex AND status=*
| table _time status src_ip dest_ip
| sort + _time
| stats count(eval(status="401")) as count earliest(_time) AS ET latest(_time) AS LT by src_ip
0 Karma
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 3)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Digital Resilience Assessment Launch | How prepared are you for disruption?

Disruption is inevitable. The question is – how prepared are you to handle it? In today’s fast-moving digital ...

Buttercup Games: Further Dashboarding Techniques (Part 2)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top