- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all. I'm trying to write a search that will list users with more than 5 failed logins in the past 8 hours and then from that result, show those users that have had a failure in the past hour. I've got the first part working with this search:
index="my_index" sourcetype="my_sourcetype" earliest=-10h@h action="failed login" | stats count by username, action | where count > 5 | table username
I now have a table with the usernames I want to run my secondary search for.
How do I take that table and run a new search against it?
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="my_index" sourcetype="my_sourcetype" earliest=-1h@h [ search index="my_index" sourcetype="my_sourcetype" earliest=-10h@h latest=-1h@h action="failed login" | stats count by username, action | where count > 5 | table username ]
The [subsearch] runs first, which produces the list of username which is fed to the main search.
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/Useasubsearch#Example_2:_Search_wi...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="my_index" sourcetype="my_sourcetype" earliest=-1h@h [ search index="my_index" sourcetype="my_sourcetype" earliest=-10h@h latest=-1h@h action="failed login" | stats count by username, action | where count > 5 | table username ]
The [subsearch] runs first, which produces the list of username which is fed to the main search.
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/Useasubsearch#Example_2:_Search_wi...
