Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to search same event occur four times in five minutes

lllidan
New Member
‎05-15-2018 02:20 AM

i got a mission from my manager, search the the same account login failure event occur four times in per five minutes , could you please help me or give me some suggestion ? thanks a lot, from a beginner.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎05-15-2018 04:30 AM

To analyse this with a sliding 5 minute window (rather than simply using a timechart, or manually grouping events into 5 minute bins), you can use something like the following (adjust it to your situation):

...<your base search here>...
| streamstats count time_window=5m by user
| where count >=4

View solution in original post

Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎05-15-2018 04:30 AM

To analyse this with a sliding 5 minute window (rather than simply using a timechart, or manually grouping events into 5 minute bins), you can use something like the following (adjust it to your situation):

...<your base search here>...
| streamstats count time_window=5m by user
| where count >=4
Reply
Solved! Jump to solution

niketn
Legend
‎05-16-2018 11:04 AM

@FrankVl, I think count=4 will give all the users with 4 or more login failed in 5 minute window and that should be the where condition i.e.

| where count=4

The count>=4 will not add any value since failed attempt 1,2 and 3 will be removed.

For details | streamstats count time_window=5m by user can be used as it is possibly add a | eval Threshold=4 to see at what point of time did the failed login attempt cross 4 or more.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎05-17-2018 02:07 AM

Yeah, that makes sense. doing >=4 just gives a lot of extra records for users that failed more than 4 times. Filtering for just the =4 shows the event that caused it to meet the threshold.

Reply
Solved! Jump to solution

niketn
Legend
‎05-15-2018 03:58 AM

@lllidan you would need to add more details around the data and fields for us to assist you better. Mask/Anonymize any sensitive information before posting.

Assuming account field is AccountName

<yourBaseSearchForLoginFailure> AccountName=*
| bin _time span=5m
| stats count as LoginFailure by _time AccountName
| where LoginFailure>=4
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

lllidan
New Member
‎05-15-2018 11:16 PM

thanks for your help, and below is my base search:

EventCode=4625 Keyword=Logon_Failed

and i wanna to display the Account_Name or Hostname on the column via timechart or Dashboard.

otherwise, " 4 attempts in 5 minutes" means after the first attempt , in 5 minutes occur other 3 times attempts , how can i define the 5 minutes time period after the first attempt ?

do you have some good suggestion ?
thanks in advance.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎05-16-2018 11:04 AM

@FrankVl 's suggestion should do it! Try out and accept his answer if it works for you!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎05-15-2018 02:48 AM

you can try something like this

index=<your_index> "login failure" 
| timechart span=5m count 
| where count=4

You can change the condition count=4 according to your requirement.

let me know if this helps!

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎05-15-2018 04:05 AM

Note that this would miss cases where the 4 attempts are spread across two 5 minute windows. But it is a simple way to start.

0 Karma
Reply
Solved! Jump to solution

lllidan
New Member
‎05-15-2018 11:06 PM

thanks for your help, and below is my base search:

EventCode=4625 Keyword=Logon_Failed

and i wanna to display the Account_Name or Hostname on the column via timechart or Dashboard.

otherwise, " 4 attempts in 5 minutes" means after the first attempt , in 5 minutes occur other 3 times attempts , how can i define the 5 minutes time period after the first attempt ?

do you have some good suggestion ?
thanks in advance.

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎05-15-2018 11:11 PM 
index=<your_index> EventCode=4625 Keyword=Logon_Failed | timechart span=5m count by account_name where count>=4
0 Karma
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...