Splunk Search

question about complicated condition search

lllidan
New Member

I am facing a difficult problem about search, the condition is: I want to filter the user who change his/her logon source IP address in ten minutes.

the problem is, there are many users login in the time period, how can I classify the same username, I can't define the username in advance, it's random.

could you give a sample search? thanks in advance.

Tags (1)
0 Karma

DavidHourani
Super Champion

Hi @lllidan,

When you're aggregating don't aggregate on the IP but do so on the username. That way it will be a lot easier to see which user is using multiple IP addresses.

Your search should then be :

...|stats values(IP) by username

Instead of :

 ...|stats values(username) by IP

Hope this helps !

Cheers,
Arthas

0 Karma

lllidan
New Member

yes, it works. thanks.

Furthermore, I also want to compare the 5 minutes' IP address to 1 hour's IP address from same user, do you have some idea?

0 Karma

DavidHourani
Super Champion

Great !

Yeah, sure have a look here :
https://answers.splunk.com/answers/210749/how-to-compare-current-data-with-data-from-24-hour.html

You can use the same logic as follows to seperate data from last hour and last 15 min:

....
 | eval WhichHour = case(_time>=relative_time(now(),"-1h@h"),"last hour",
                        _time<=relative_time(now(),"-15min@min"),"Last 15 min",
                        1==1,null())
|stats values(IP) by username,WhichHour 

You can then combine the info to see if the IPs changed over time !

Cheers,
Uther The light bringer

0 Karma

lllidan
New Member

thanks, David. I am really appreciate your help.

It's very close to the requirement, I got a good classification with your search, I also want to modify the different IP between "last hour" and "Last 15 min" that from the same user, list the username, different IP and "last hour" IP as columns in a chart.

thanks so much

0 Karma

DavidHourani
Super Champion

Hi @lllidan

You're welcome ! Please up-vote comments and answers that you find helpful !

Could you please share the query you have so far along with the expected results ? Maybe an example table of what you'd like to achieve ?

0 Karma

to4kawa
Ultra Champion

could you give a sample logs?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...