Splunk Search

How to edit my eventstats search to return a count of failed authentications greater than ten within a ten minute window?

New Member

Been working on a report to show the best data on authentications failed more than ten times in a time span of 10 mins.

Am I headed the right direction? I'm just questioning my count in the table whether or not it is correct:

index=wineventlog action=failure user!=*$ signature!="Kerberos pre-authentication failed" signature!="A Kerberos authentication ticket (TGT) was requested"  | eventstats count(user) as failure_count by src_ip | bucket _time span=10m |  where failure_count>10 | dedup src_ip |table user user_first user_last signature, src_ip, failure_count | rename user as User, user_first as "First Name" , user_last as "Last Name" , signature as "Failure Reason" , src_ip as "Source IP" , failure_count as Count

Appreciate any and all help.

0 Karma

Legend

Move the bucket to before the eventstas and group eventstats by _time as well. Like this

 index=wineventlog action=failure user!=*$ signature!="Kerberos pre-authentication failed" signature!="A Kerberos authentication ticket (TGT) was requested"  | bucket _time span=10m | eventstats count(user) as failure_count by _time src_ip | where failure_count>10 | dedup src_ip | table user user_first user_last signature, src_ip, failure_count | rename user as User, user_first as "First Name" , user_last as "Last Name" , signature as "Failure Reason" , src_ip as "Source IP" , failure_count as Count
0 Karma

New Member

I think this is close, but comparing my numbers in the count field to raw events it seems way off.
I had been using just stats but needed more info in the table. Heres the stats command I was using that i felt was accurate

Thoughts?

index=wineventlog OR index=cisco_auth action=failure user!=*$ signature!="Kerberos pre-authentication failed" signature!="A Kerberos authentication ticket (TGT) was requested" | stats  count by user,signature,src_ip| where  count > 10 |  bucket _time span=10m |
0 Karma

Legend

Here the difference between the two searches..

In the search I provided, the count is grouped by _time (10m increment) and src_ip

and in your search the count is grouped by user, signature and src_ip (more group by fields and no time field)

To check the count, try this search

index=wineventlog action=failure user!=*$ signature!="Kerberos pre-authentication failed" signature!="A Kerberos authentication ticket (TGT) was requested"  | timechart span=10m count as failure_count by src_ip
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!