Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: how to search same event occur four times in f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i got a mission from my manager, search the the same account login failure event occur four times in per five minutes , could you please help me or give me some suggestion ? thanks a lot, from a beginner.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To analyse this with a sliding 5 minute window (rather than simply using a timechart, or manually grouping events into 5 minute bins), you can use something like the following (adjust it to your situation):
...<your base search here>...
| streamstats count time_window=5m by user
| where count >=4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To analyse this with a sliding 5 minute window (rather than simply using a timechart, or manually grouping events into 5 minute bins), you can use something like the following (adjust it to your situation):
...<your base search here>...
| streamstats count time_window=5m by user
| where count >=4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@FrankVl, I think count=4 will give all the users with 4 or more login failed in 5 minute window and that should be the where condition i.e.
| where count=4
The count>=4 will not add any value since failed attempt 1,2 and 3 will be removed.
For details | streamstats count time_window=5m by user can be used as it is possibly add a | eval Threshold=4 to see at what point of time did the failed login attempt cross 4 or more.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, that makes sense. doing >=4 just gives a lot of extra records for users that failed more than 4 times. Filtering for just the =4 shows the event that caused it to meet the threshold.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@lllidan you would need to add more details around the data and fields for us to assist you better. Mask/Anonymize any sensitive information before posting.
Assuming account field is AccountName
<yourBaseSearchForLoginFailure> AccountName=*
| bin _time span=5m
| stats count as LoginFailure by _time AccountName
| where LoginFailure>=4
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for your help, and below is my base search:
EventCode=4625 Keyword=Logon_Failed
and i wanna to display the Account_Name or Hostname on the column via timechart or Dashboard.
otherwise, " 4 attempts in 5 minutes" means after the first attempt , in 5 minutes occur other 3 times attempts , how can i define the 5 minutes time period after the first attempt ?
do you have some good suggestion ?
thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@FrankVl 's suggestion should do it! Try out and accept his answer if it works for you!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can try something like this
index=<your_index> "login failure"
| timechart span=5m count
| where count=4
You can change the condition count=4 according to your requirement.
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Note that this would miss cases where the 4 attempts are spread across two 5 minute windows. But it is a simple way to start.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for your help, and below is my base search:
EventCode=4625 Keyword=Logon_Failed
and i wanna to display the Account_Name or Hostname on the column via timechart or Dashboard.
otherwise, " 4 attempts in 5 minutes" means after the first attempt , in 5 minutes occur other 3 times attempts , how can i define the 5 minutes time period after the first attempt ?
do you have some good suggestion ?
thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=<your_index> EventCode=4625 Keyword=Logon_Failed | timechart span=5m count by account_name where count>=4
Leveraging Detections from the Splunk Threat Research Team & Cisco Talos
Splunk ITSI & Correlated Network Visibility
Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)
