- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- question about complicated condition search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
question about complicated condition search
I am facing a difficult problem about search, the condition is: I want to filter the user who change his/her logon source IP address in ten minutes.
the problem is, there are many users login in the time period, how can I classify the same username, I can't define the username in advance, it's random.
could you give a sample search? thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @lllidan,
When you're aggregating don't aggregate on the IP but do so on the username. That way it will be a lot easier to see which user is using multiple IP addresses.
Your search should then be :
...|stats values(IP) by username
Instead of :
...|stats values(username) by IP
Hope this helps !
Cheers,
Arthas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, it works. thanks.
Furthermore, I also want to compare the 5 minutes' IP address to 1 hour's IP address from same user, do you have some idea?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great !
Yeah, sure have a look here :
https://answers.splunk.com/answers/210749/how-to-compare-current-data-with-data-from-24-hour.html
You can use the same logic as follows to seperate data from last hour and last 15 min:
....
| eval WhichHour = case(_time>=relative_time(now(),"-1h@h"),"last hour",
_time<=relative_time(now(),"-15min@min"),"Last 15 min",
1==1,null())
|stats values(IP) by username,WhichHour
You can then combine the info to see if the IPs changed over time !
Cheers,
Uther The light bringer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks, David. I am really appreciate your help.
It's very close to the requirement, I got a good classification with your search, I also want to modify the different IP between "last hour" and "Last 15 min" that from the same user, list the username, different IP and "last hour" IP as columns in a chart.
thanks so much
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @lllidan
You're welcome ! Please up-vote comments and answers that you find helpful !
Could you please share the query you have so far along with the expected results ? Maybe an example table of what you'd like to achieve ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
could you give a sample logs?
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
