Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get the Weekly Stats based on the Username

Shashank_87
Explorer
‎05-08-2019 01:46 AM

Hi, I am looking for some help related to one of the issues. So what i want is weekly view of users in last 90 days with their authentication status. For example in a particular week if a user has "failed login" and "success login" both and suppose in the next week, he just got success, then I want it to be reported in a table like this -

FirstDayOfTheWeek User AuthenticationStatus
01-04-2019 test1@gmail.com Failed Success
08-04-2019 test1@gmail.com Success
08-04-2019 test2@gmail.com Failed
15-04-2019 test1@gmail.com Failed Success

There could be n number of users and I want to report all of them. Is there any way to do this?I am finding it a bit tricky. This is my query where I have appended success logins events with failed login events.

index="test" sourcetype=test_events "loginSuccess"
| dedup currentUsername
| eval type="Success"
| fields currentUsername type
| append
[ search index="test" sourcetype=test_events "loginFailed" 404
| rename username as currentUsername
| dedup currentUsername
| eval type="Fail"
| fields currentUsername type
]

Tags (2)
0 Karma
Reply

dmarling
Builder
‎05-08-2019 07:08 AM

I'd suggest using a stats to accomplish this instead of an append:

index="test" sourcetype=test_events "loginSuccess" OR ("loginFailed" 404)
| eval AuthenticationStatus=if(match(_raw, "loginSuccess"), "Success", "Failed")
| eval FirstDayOfTheWeek=relative_time(_time, "@w+1d")
| stats values(AuthenticationStatus) as AuthenticationStatus by FirstDayOfTheWeek currentUsername 
| rename currentUsername as User
| fieldformat FirstDayOfTheWeek=strftime(FirstDayOfTheWeek, "%d-%m-%Y")
| sort 0 + FirstDayOfTheWeek User

The OR statement on the first line will have you search both of the conditions you want and then the values command on the stats transformation on line 4 will report the different Authentication statuses as a multivalued field. Give that a try and let me know if it works for you.

edited it to account for the currentUsername field instead of User

If this comment/answer was helpful, please up vote it. Thank you.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...