Splunk Search

What is the best way to produce a frequency table for user access over extended time?

Builder

I have been asked to determine the logon frequency for a certain group of users (about 50) over a two month time span. That group has been entered into a lookup table.

I know I can create a search such as the following:

index=wineventlog source=WinEventLog:Security EventCode=4624 [inputlookup users.csv | fields user] |timechart span=1d count by user 

While I plan to run this as a report overnight because of the length of time it probably will take, I have a couple of challenges.....

Can I just put this into a table in a csv where it is a long list of users across the top and all the dates down the left side and each block has the number of events for that user on that day?

And when I try to do this, I get about eight names and the rest are bunched into one group called OTHER.

How do I make that other group break out so I can download a list showing individual names?

I hope that's clear...

Thanks.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

That is the default behavior of the setting limit of the timechart command, when it provides top 10 results and all others will be clubbed at OTHER. Use limit=0 to get all the values.

index=wineventlog source=WinEventLog:Security EventCode=4624 [inputlookup users.csv | fields user] |timechart span=1d count by user limit=0

See this for more information
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/timechart#Optional_arguments

View solution in original post

0 Karma

Motivator

this is a great login search that I use. Got most of it from the MalwareArchaeology.com

sourcetype="WinEventLog:Security" EventCode=4624 NOT (host=“DC1" OR host=“DC2" OR host=“DC…”) NOT (Account_Name="*$" OR Account_Name="ANONYMOUS LOGON") NOT (Account_Name="Service_Account") NOT [ inputlookup Trusted_Logon_Whitelist.csv | fields Account_Name Account_Domain Logon_Type ] | eval Account_Domain=(mvindex(Account_Domain,1)) | eval Account_Name=if(Account_Name="-",(mvindex(Account_Name,1)), Account_Name) | eval Account_Name=if(Account_Name="*$",(mvindex(Account_Name,1)), Account_Name) | eval Time=strftime(_time,"%Y/%m/%d %T") | stats count values(Account_Domain) AS Domain, values(host) AS Host, dc(host) AS Host_Count, values(Logon_Type) AS Logon_Type, values(Workstation_Name) AS From_WS_Name, values(Source_Network_Address) AS Source_IP, values(Process_Name) AS Process_Name by Account_Name | sort - Host_Count | where Host_Count > 2 | head 10 | fields - Host Source_IP

Not exacly what your looking for but might help you develop what your looking for.

0 Karma

Builder

plus points for referring to malware archeaology

0 Karma

SplunkTrust
SplunkTrust

That is the default behavior of the setting limit of the timechart command, when it provides top 10 results and all others will be clubbed at OTHER. Use limit=0 to get all the values.

index=wineventlog source=WinEventLog:Security EventCode=4624 [inputlookup users.csv | fields user] |timechart span=1d count by user limit=0

See this for more information
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/timechart#Optional_arguments

View solution in original post

0 Karma

Builder

Thanks.

I always forget about that argument.

0 Karma