Splunk Search

Removing events with duplicate fields from transaction command

Explorer

Hi all,
I am writing a query to detect brute force attempts, where the username is different in each request.
index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | stats count by clientip | search count >5 | sort count desc

This is giving me if someone has typed in same username within 2 mins, i want to avoid those. So i want to know if someone tried to login more than 5 times with different usernames from the same IP.

I tried my luck with dedup, but it doesn't seem to be working.
index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | dedup username | stats count by clientip | search count >5 | sort count desc

Thank You

0 Karma

Builder

Pretty sure this will do what you want...

index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | stats dc(clientip) AS "Client IP" values(username) AS "User Name" dc(username) AS "usernames" by clientip | where usernames > 5 | table clientip, "User Name"

0 Karma

Contributor

Hi,

I don't have logfiles to recreate your scenario, so I can't test this, but would this work?

index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | stats count as ipcount dc(username) as usercount by clientip | where ipcount>5 AND usercount>5

That would only catch cases where each login was tried with a different username though, perhaps usercount>3 or something would be nice.

Hth,
Kai.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!