I am trying to get a top 10 list of failed login attempts for a specific application by user name over a period of time using a timechart.
index="AppNameHere" Event_ID="123456" |
timechart count by username span=1day limit=10 useother=0
When I go to visualize it as a line chart I see that is breaks out each username with its own line and limits it to 10 users but its for the first 10 users period and not the top 10 users sorted by the count of failed login events.
Can you do this in a timechart or can I do a presort then timechart that?
Try this:
index="AppNameHere" Event_ID="123456" [index="AppNameHere" Event_ID="123456" | top 10 username | table username]
| timechart count by username span=1day limit=10 useother=0
This appears to be a duplicate of:
https://answers.splunk.com/answers/569312/timechart-top-10-users-by-number-of-failed-login-a.html
Sorry yes I had an issue submitting and re-posted it thinking it didn't work the first time, sorry.
Try my answer(s), that will do it.
Try this:
index="AppNameHere" Event_ID="123456" [index="AppNameHere" Event_ID="123456" | top 10 username | table username]
| timechart count by username span=1day limit=10 useother=0
I saw you posted this yesterday and I was not quite able to wrap my head around how sub-searches worked. Did some more digging till I read that when the search is executed it executes what ever is in the brackets first then runs the rest of the search.
That made me realize its like a basic algebra problem and what I was doing in the bracket is just trying to get a list of the to 10 users and injecting them into the main search. After that I was able to quickly come up with a working search. I came back here to post my results and found they were almost identical to what you had already posted yesterday.
If I wasn't so thick headed l would have got what I was looking for a day early thanks to you. Hahaha
Sometimes that's just how it goes.
On what basis (time-sub-span) would you like it to calculate topness
? Do you see the problem? What is top 10
for one slice of time, may not be for any other slice.
You are right I want top 10 over the span of the entire search.
What I am trying to achieve is getting a list of the 10 ten users who had the most failed attempts over the entire search period. Then put that list into a line or area chart that shows the number of failures each day for each user over the selected time period. In our case it will probably be 3-6 months.
We are looking for users who have large number of failed login attempts over a long period of time but want to break it down into chunks like per day so we can see if all the failures for a given user was all in a single day or if it happens in smaller chunks consistently over each month or even each day. This would help tell us if the account was under attack or if the user uses sites like mint.com to login to login to our site to check account balances automatically.
If they sign into a system like mint.com put in their credentials then change their credentials later on our site and forget to change them in mint.com we would expect to see consistent failed traffic each day from that account.
Try like this
index="AppNameHere" Event_ID="123456" | bucket span=1d _time | stats count by _time username | sort 0 _time -count | dedup _time
OR
index="AppNameHere" Event_ID="123456" | bucket span=1d _time | stats count by _time username | sort 0 _time -count | dedup _time | timechart span=1d sum(count) as count by username limit=0