Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find out failed login attempts with (Event Code=4625) which will happen more than 6 times with in one hour?

90509
Engager
‎06-26-2019 06:14 AM

Hi All,

I would like to find out failed login attempts happen more than 6 times with in 1hr time span.So here the main thing is the data come up with Events codes(Event Codes=4638,4722,4720) each and every time when we run a search in search bar.

event code 4625 should be separate from all the other event codes. Because 4625 is the only event code where we look for more than 6 failed attempts. The other three event codes we need to see each time they happen.
could anyone please assist me how to pull the 3 event codes every except event code:4625

Below is my search::

index=".........." AND sourcetype=".........." AND tag="....." AND NOT ((user=null) OR (tag=.............)) AND EventCode=4625 OR (EventCode=4720 OR EventCode=4722 OR EventCode=4738)
| fillnull value="N/A"
| bin _time span=1hr as HourDay
| eval hourDay=strftime(HourDay,"%m-%d-%y %H:%M:%S")
| stats count last(hourDay) as timestamp by user, HourDay, EventCode, Account_Domain, Account_Name, dvc_owner,dvc_bunit,dvc_ip, subject, dvc,
| where count>6
|fields - HourDay
| search NOT
[| inputlookup ........csv
| rename service_accounts as user]

Tags (1)
0 Karma
Reply

90509
Engager
‎06-27-2019 07:22 AM

I hope the logic is correct but I don't know I am getting error like "Error in 'multisearch' command: Multisearch subsearches may only contain purely streaming operations (subsearch 1 contains a non-streaming command.)"

0 Karma
Reply

sandeepmakkena
Contributor
‎06-26-2019 06:41 AM

| multisearch
[ search ndex=".........." AND sourcetype=".........." AND tag="....." AND NOT ((user=null) OR (tag=.............)) AND EventCode=4625
| fillnull value="N/A"
| bin _time span=1hr as HourDay
| eval hourDay=strftime(HourDay,"%m-%d-%y %H:%M:%S")
| stats count last(hourDay) as timestamp by user, HourDay, EventCode, Account_Domain, Account_Name, dvc_owner,dvc_bunit,dvc_ip, subject, dvc,
| where count>6
| fields - HourDay
| search NOT
[| inputlookup ........csv
| rename service_accounts as user]
| eval event=event/2]
[ search
[ search ndex=".........." AND sourcetype=".........." AND tag="....." AND NOT ((user=null) OR (tag=.............)) AND EventCode=4720 OR EventCode=4722 OR EventCode=4738
| fillnull value="N/A"
| bin _time span=1hr as HourDay
| eval hourDay=strftime(HourDay,"%m-%d-%y %H:%M:%S")
| stats count last(hourDay) as timestamp by user, HourDay, EventCode, Account_Domain, Account_Name, dvc_owner,dvc_bunit,dvc_ip, subject, dvc,
| where count>1
| fields - HourDay
| search NOT
[| inputlookup ........csv
| rename service_accounts as user]

This should work.

0 Karma
Reply

sandeepmakkena
Contributor
‎06-26-2019 01:08 PM

Did this work ?

0 Karma
Reply

90509
Engager
‎07-02-2019 03:33 AM

no the second part of the search not working

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...