Splunk Search

Top 10 list of failed login attempts for a specific application by user name

snix
Communicator

I am trying to get a top 10 list of failed login attempts for a specific application by user name over a period of time using a timechart.

index="AppNameHere" Event_ID="123456" |
timechart count by username span=1day limit=10 useother=0

When I go to visualize it as a line chart I see that is breaks out each username with its own line and limits it to 10 users but its for the first 10 users period and not the top 10 users sorted by the count of failed login events.

Can you do this in a timechart or can I do a presort then timechart that?

0 Karma
1 Solution

woodcock
Esteemed Legend

Try this:

index="AppNameHere" Event_ID="123456" [index="AppNameHere" Event_ID="123456" | top 10 username | table username]
| timechart count by username span=1day limit=10 useother=0

View solution in original post

woodcock
Esteemed Legend
0 Karma

snix
Communicator

Sorry yes I had an issue submitting and re-posted it thinking it didn't work the first time, sorry.

0 Karma

woodcock
Esteemed Legend

Try my answer(s), that will do it.

0 Karma

woodcock
Esteemed Legend

Try this:

index="AppNameHere" Event_ID="123456" [index="AppNameHere" Event_ID="123456" | top 10 username | table username]
| timechart count by username span=1day limit=10 useother=0

snix
Communicator

I saw you posted this yesterday and I was not quite able to wrap my head around how sub-searches worked. Did some more digging till I read that when the search is executed it executes what ever is in the brackets first then runs the rest of the search.

That made me realize its like a basic algebra problem and what I was doing in the bracket is just trying to get a list of the to 10 users and injecting them into the main search. After that I was able to quickly come up with a working search. I came back here to post my results and found they were almost identical to what you had already posted yesterday.

If I wasn't so thick headed l would have got what I was looking for a day early thanks to you. Hahaha

woodcock
Esteemed Legend

Sometimes that's just how it goes.

0 Karma

woodcock
Esteemed Legend

On what basis (time-sub-span) would you like it to calculate topness? Do you see the problem? What is top 10 for one slice of time, may not be for any other slice.

0 Karma

snix
Communicator

You are right I want top 10 over the span of the entire search.

What I am trying to achieve is getting a list of the 10 ten users who had the most failed attempts over the entire search period. Then put that list into a line or area chart that shows the number of failures each day for each user over the selected time period. In our case it will probably be 3-6 months.

We are looking for users who have large number of failed login attempts over a long period of time but want to break it down into chunks like per day so we can see if all the failures for a given user was all in a single day or if it happens in smaller chunks consistently over each month or even each day. This would help tell us if the account was under attack or if the user uses sites like mint.com to login to login to our site to check account balances automatically.

If they sign into a system like mint.com put in their credentials then change their credentials later on our site and forget to change them in mint.com we would expect to see consistent failed traffic each day from that account.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this

index="AppNameHere" Event_ID="123456" | bucket span=1d _time | stats count by _time username | sort 0 _time -count | dedup _time

OR

index="AppNameHere" Event_ID="123456" | bucket span=1d _time | stats count by _time username | sort 0 _time -count | dedup _time | timechart span=1d sum(count) as count by username limit=0
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...