Solved: [Search] Avg failed logins by user per day

test_qweqwe · ‎12-05-2017

sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication failure"

it's shows me all failed auth users on machine and I don't know how to property continuum this search to show avg failed logins by user per day

MonkeyK · ‎12-05-2017

so you already have username and _time. you should be able to do something like this:

base search | bin _time as date span=1d |  stats count by username date| stats avg(count) by username

The first stats will give you daily counts. The second one will average them.
I am not sure if there is a way to combine the two stats commands, so maybe someone else will have something more elegant

View solution in original post

MonkeyK · ‎12-05-2017

so you already have username and _time. you should be able to do something like this:

base search | bin _time as date span=1d |  stats count by username date| stats avg(count) by username

The first stats will give you daily counts. The second one will average them.
I am not sure if there is a way to combine the two stats commands, so maybe someone else will have something more elegant

[Search] Avg failed logins by user per day

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Join the Conversation

[Search] Avg failed logins by user per day

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025