Splunk Search

What is the best way to produce a frequency table for user access over extended time?

reswob4
Builder

I have been asked to determine the logon frequency for a certain group of users (about 50) over a two month time span. That group has been entered into a lookup table.

I know I can create a search such as the following:

index=wineventlog source=WinEventLog:Security EventCode=4624 [inputlookup users.csv | fields user] |timechart span=1d count by user 

While I plan to run this as a report overnight because of the length of time it probably will take, I have a couple of challenges.....

Can I just put this into a table in a csv where it is a long list of users across the top and all the dates down the left side and each block has the number of events for that user on that day?

And when I try to do this, I get about eight names and the rest are bunched into one group called OTHER.

How do I make that other group break out so I can download a list showing individual names?

I hope that's clear...

Thanks.

0 Karma
1 Solution

somesoni2
Revered Legend

That is the default behavior of the setting limit of the timechart command, when it provides top 10 results and all others will be clubbed at OTHER. Use limit=0 to get all the values.

index=wineventlog source=WinEventLog:Security EventCode=4624 [inputlookup users.csv | fields user] |timechart span=1d count by user limit=0

See this for more information
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/timechart#Optional_arguments

View solution in original post

0 Karma

hartfoml
Motivator

this is a great login search that I use. Got most of it from the MalwareArchaeology.com

sourcetype="WinEventLog:Security" EventCode=4624 NOT (host=“DC1" OR host=“DC2" OR host=“DC…”) NOT (Account_Name="*$" OR Account_Name="ANONYMOUS LOGON") NOT (Account_Name="Service_Account") NOT [ inputlookup Trusted_Logon_Whitelist.csv | fields Account_Name Account_Domain Logon_Type ] | eval Account_Domain=(mvindex(Account_Domain,1)) | eval Account_Name=if(Account_Name="-",(mvindex(Account_Name,1)), Account_Name) | eval Account_Name=if(Account_Name="*$",(mvindex(Account_Name,1)), Account_Name) | eval Time=strftime(_time,"%Y/%m/%d %T") | stats count values(Account_Domain) AS Domain, values(host) AS Host, dc(host) AS Host_Count, values(Logon_Type) AS Logon_Type, values(Workstation_Name) AS From_WS_Name, values(Source_Network_Address) AS Source_IP, values(Process_Name) AS Process_Name by Account_Name | sort - Host_Count | where Host_Count > 2 | head 10 | fields - Host Source_IP

Not exacly what your looking for but might help you develop what your looking for.

0 Karma

reswob4
Builder

plus points for referring to malware archeaology

0 Karma

somesoni2
Revered Legend

That is the default behavior of the setting limit of the timechart command, when it provides top 10 results and all others will be clubbed at OTHER. Use limit=0 to get all the values.

index=wineventlog source=WinEventLog:Security EventCode=4624 [inputlookup users.csv | fields user] |timechart span=1d count by user limit=0

See this for more information
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/timechart#Optional_arguments

0 Karma

reswob4
Builder

Thanks.

I always forget about that argument.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...