Splunk Search

How to display the number of failures, plus earliest(_time) and latest(_time) by src_ip?

mikefoti
Communicator

Given web access log data with following fields:

_time,  http_status, src_ip, dest_ip

After a bruteforce attack on a login page, where http_status of 200=success and 401=failure, how can I display the number of failures, plus earliest(_time) and latest(_time) by src_ip

I've tried using streamstats like below, but do not get what I'm looking for

index=myIndex AND status=*
| table _time status src_ip dest_ip
| sort + _time
| streamstats reset_on_change=true count earliest(_time) AS ET latest(_time) AS LT by status
| convert ctime(ET) ctime(LT)

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index=myIndex AND status=*
| table _time status src_ip dest_ip
| sort + _time
| stats count(eval(status="401")) as count earliest(_time) AS ET latest(_time) AS LT by src_ip

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=myIndex AND status=*
| table _time status src_ip dest_ip
| sort + _time
| stats count(eval(status="401")) as count earliest(_time) AS ET latest(_time) AS LT by src_ip
0 Karma
Get Updates on the Splunk Community!

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...