Splunk Search

Search Help - Finding and comparing events within a single sourcetype

Path Finder

I've got about 4-5 different use cases that all require the same type of search logic / correlation but are run against a single sourcetype.

One example is I'd like to search Windows security event logs to find all events where a single username was used to attempt to log in but the computer was different within a x period of time. Or, the reverse, to find events where a single computer was being used to attempt to authenticate at least 3 or more different usernames within a x period of time.

Tags (1)
0 Karma

Esteemed Legend

Try this base search:

sourcetype=WindowsSecurityEvents | streamstats last(host) AS prevHost BY username | streamstats last(username) AS prevUsername BY host

For the first example to show events where a single username was on multiple hosts yo tack on this:

| where prevHost!=host

For the first example to show events where a single username was on multiple hosts yo tack on this:

| where prevUsername!=username
0 Karma

SplunkTrust
SplunkTrust

What exactly is your question?

If you need help building such searches, do post sample data and describe what you'd need the results to look like.

0 Karma