Splunk Search

Using dedub on same results within 1 minute range

SkuLLo99
Loves-to-Learn

Hi

I'm trying to find user that login on Non-working hour between 4pm-4am by looking at eventcode=4624.I need to exclude the same user within 1 minute range to reduce number of events so I try to using dedup user, _time but it only delete the user that has same time.

Code:

index=wineventlog EventCode=4624 category=Logon
| eval workHour=strftime(_time, "%H") 
| where workHour <= 4 OR workHour >= 22 
| dedup user _time
| table _time user

I also get the results but that's too high due to event that has the same user login at the same minute like

22:02:00 userA
22:02:15 userA
22:02:17 userA
22:05:00 userB
22:05:13 userฺB
22:05:18 userA

how to make it like
22:02:00 userA
22:05:00 userB
22:05:18 userA

I was try to use bin user span=1m but it not work for me

Any help guys?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Adding the bin command will convert _time from H:M:S to H:M so Splunk can dedup better.  Try this:

index=wineventlog EventCode=4624 category=Logon
| eval workHour=strftime(_time, "%H") 
| where workHour <= 4 OR workHour >= 22 
| bin span=1m _time
| dedup user _time
| table _time user

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

SkuLLo99
Loves-to-Learn

Hi

Adding bin _time is help reduce amount of events but still doesn't give results I need

cause if 2 different user like userA, userB login on same minute but different second it will show only 1 user like:

22:02:00 user A
22:02:10 user B

using bin _time will show only user A

I'm not sure Is there a way to use bin user like bin _time 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

@SkuLLo99 the @richgalloway solution should work, but another way to do this is to use stats to aggregate rather than dedup, like this

index=wineventlog EventCode=4624 category=Logon
| eval workHour=strftime(_time, "%H") 
| where workHour <= 4 OR workHour >= 22
| bin _time span=1m
| stats count by user, _time

 which will show you the count of times each user logged in during each 1 minute period

0 Karma

SkuLLo99
Loves-to-Learn

Hi

I don't need results to show same user in1 minute period. I want to exclude them out of results and show only 1 results of that user like example I show above.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

@SkuLLo99 

I understand you were looking to reduce the event count. stats will do that and will show you only 1 result for each user in each minute.

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...