Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Removing events with duplicate fields from transaction command

dineshp
Explorer
‎10-06-2015 08:40 PM

Hi all,
I am writing a query to detect brute force attempts, where the username is different in each request.
index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | stats count by clientip | search count >5 | sort count desc

This is giving me if someone has typed in same username within 2 mins, i want to avoid those. So i want to know if someone tried to login more than 5 times with different usernames from the same IP.

I tried my luck with dedup, but it doesn't seem to be working.
index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | dedup username | stats count by clientip | search count >5 | sort count desc

Thank You

0 Karma
Reply

mydog8it
Builder
‎10-07-2015 12:10 PM

Pretty sure this will do what you want...

index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | stats dc(clientip) AS "Client IP" values(username) AS "User Name" dc(username) AS "usernames" by clientip | where usernames > 5 | table clientip, "User Name"

0 Karma
Reply

knielsen
Contributor
‎10-07-2015 03:12 AM

Hi,

I don't have logfiles to recreate your scenario, so I can't test this, but would this work?

index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | stats count as ipcount dc(username) as usercount by clientip | where ipcount>5 AND usercount>5

That would only catch cases where each login was tried with a different username though, perhaps usercount>3 or something would be nice.

Hth,
Kai.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...