Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SPL Query Error

adoumbia
Engager
‎11-27-2024 01:12 PM

I am trying to write an spl query to detect an event of a single source IP address  or a user fails multiple time to login to multiple accounts.

can anyone help me write it.

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-27-2024 01:18 PM

Please share some sample anonymised events so that we can see what you are dealing with. Please explain which parts of the events are important for what you are trying to discover. Please share what you would like the results to look like. Without this type of information, we are reduced to attempting to read your mind (and my mind-reading license has been revoked after the unfortunate incident with the estate agent!)

0 Karma
Reply

adoumbia
Engager
‎11-27-2024 01:33 PM

i want to find out which IP address, hostname or username has failed multiple time to login to multiple accounts.
I am trying to detect brute force attack.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-27-2024 11:48 PM

Hi @adoumbia ,

as @ITWhisperer said, it's really difficoult to help you without knowing the events to apply the search.

Anyway, if you need a brute force attack sample search, you can see in the Splunk Security Essentials App ( https://splunkbase.splunk.com/app/3435 ) where you can find what you're searching and many other Security Use Cases.

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-27-2024 01:44 PM

Please share some sample anonymised events so that we can see what you are dealing with. Please explain which parts of the events are important for what you are trying to discover. Please share what you would like the results to look like. Without this type of information, we are reduced to attempting to read your mind (and my mind-reading license has been revoked after the unfortunate incident with the estate agent!)

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...