I found another thread where the user was trying something similar, with this string:
index= | transaction src_ip,user startswith="Login failed " endswith="Login succeeded" maxspan=15m maxpause=8h | stats avg(duration)
Which doesn't go off of any kind of threshold, so a single logon failure followed by a success would be shown. It was suggested, but not exactly how, to use eventstats to create a kind of count for the "Login failed"s so that a threshold could be specified, but the syntax wasn't covered, and I'm still too new to Splunk to get it right. I've been playing around with it a little bit, and was trying something like:
index= | transaction src_ip,user startswith=["Login failed" | eventstats count(src_ip) as count | where count > 10] endswith="Login succeeded" maxspan=30m
But it gives an error, which I kind of expected. I just don't understand the Splunk functions, syntax, and piping well enough to know how to get that startswith = . Do you have to run eventstats first and pipe that into the transaction to use the 15 failed logons in the transaction instead of "Login success", or can you do some kind of subsearch like I was trying with a different syntax?
Maybe this will give you something to work with
index=* | rex "(?<status>failed|succeeded)" | reverse | streamstats sum(eval(if(status="succeeded", 1, 0))) as session by src_ip user | stats count list(status) by src_ip user session | where count >= 10
You can try to use this search:
index= | transaction src_ip,user startswith="Login failed " endswith="Login succeeded" maxspan=15m maxpause=8h | search eventcount > 5 | stats avg(duration)
With this search I created a threshold of more than 5 events in the transaction this will show at least 5 failed logins and one succeeded.
Hope this helps
Maybe I'm misunderstanding how these functions work, but would that not just try to find 5 events of a failed logon followed by a successful logon? How doesthe
search eventcount differentiate from the startswith and endswith out of the transaction getting piped into it? Either way, it doesn't seem to be working for me.
HI rwmilligan, in this example it groups together all events between "Login failed" and "Login succeeded" with fields src_ip and user that are equal, doesn't matter how many events between then. After grouping the events together Splunk creates a field called "eventcount" that show how many events were groupped together thas why I'm searching for "eventcount greater than 5".
Did the events were groupped together using the transaction command? Could you post the example of the output of the transaction command?