Splunk search that will find when customers first ...

jhilton90 · ‎01-03-2023

I'm trying to come up with a Splunk search query that I can use to find when customers have first attempted to log in. We often get call outs regarding credential stuffing attacks, where 100's of accounts have attempted to log in, and part of my analysis is finding when these accounts first attempted to log in.

At the moment I've got this

index=keycloak
| sort time
| streamstats first(time) as first_login by username
| dedup username
| table username, first_login

The usernames are on display, but the 'first_login' column is empty

Manasa_401 · ‎01-03-2023

Hello @jhilton90

You can also try using stats command.

index=keycloak
| sort time
| stats first(_time) as first_login by username
| eval time=strftime(first_login,"%Y-%m-%d %H:%M:%S")

If this helps, karma would be appreciated.

Thanks,

Manasa

gcusello · ‎01-03-2023

Hi @jhilton90,

I don't know what you mean with "time", if you mean the events timestamp, you could try with _time:

index=keycloak
| sort time
| streamstats earliest(_time) as first_login by username
| eval first_login=strftime(first_login,"%Y-%m-%d %H:%M:%S")
| table username, first_login

Ciao.

Giuseppe

Splunk search that will find when customers first logged in?

stats

table

timechart

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?