Splunk Search

In a search, how would one count the number of times a value appears in a defined time segment over a longer period of time?

nickcardenas
Path Finder

Hi everybody,

The search I'm trying to create is to alert possible brute force attacks using WindowEventLogs.

I'd like to have a search (alert) that runs every hour and splits that hour into 5 minute time blocks. For each of these time blocks, I'd like to have some logic to output to a table whenever there are "X" amount of failed attempts (or more) in ANY of the 12 five minute blocks within that hour.

I Imagine the results to look like this (X here is hypothetically 5):

User        Time       Count 
Bob         12:00        5
Alice       12:25        6
Steve       12:55       10

The current search I have written is:

basesearch sourcetype="WindowsEventLogs" eventCode=4265 etc. (with time picker set at "last 60minutes" )
| dedup _time user 
| bin _time span=5m 
| eventstats count by user
| search count > 5
| table user, time, count 

The result of this query yields me duplicates and an overall count of how many times a user failed a logon in the whole 60 minutes time range, rather than the count of how many times user fails a login in each of the 5min intervals.

I've searched all over and could appreciate some help! Thank you.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Just a guess, but maybe using streamstats time_window=5m count by user instead of eventstats will help.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Just a guess, but maybe using streamstats time_window=5m count by user instead of eventstats will help.

---
If this reply helps you, Karma would be appreciated.

nickcardenas
Path Finder

Replacing this alone didn't fix the search, however, with streamstats I'm able to do a work around now! Adding streamstats to my search yielded me Time and users but with some duplicates, however, counting by these duplicates and user I'm able to yield exactly what I'm looking for. Thank you so much!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...