Re: Search Help - Finding and comparing events wit...

jeremyarcher · ‎04-04-2015

I've got about 4-5 different use cases that all require the same type of search logic / correlation but are run against a single sourcetype.

One example is I'd like to search Windows security event logs to find all events where a single username was used to attempt to log in but the computer was different within a x period of time. Or, the reverse, to find events where a single computer was being used to attempt to authenticate at least 3 or more different usernames within a x period of time.

woodcock · ‎05-14-2015

Try this base search:

sourcetype=WindowsSecurityEvents | streamstats last(host) AS prevHost BY username | streamstats last(username) AS prevUsername BY host

For the first example to show events where a single username was on multiple hosts yo tack on this:

| where prevHost!=host

For the first example to show events where a single username was on multiple hosts yo tack on this:

| where prevUsername!=username

martin_mueller · ‎04-05-2015

What exactly is your question?

If you need help building such searches, do post sample data and describe what you'd need the results to look like.

Search Help - Finding and comparing events within a single sourcetype

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor