I am facing a difficult problem about search, the condition is: I want to filter the user who change his/her logon source IP address in ten minutes.
the problem is, there are many users login in the time period, how can I classify the same username, I can't define the username in advance, it's random.
could you give a sample search? thanks in advance.
Hi @lllidan,
When you're aggregating don't aggregate on the IP but do so on the username. That way it will be a lot easier to see which user is using multiple IP addresses.
Your search should then be :
...|stats values(IP) by username
Instead of :
...|stats values(username) by IP
Hope this helps !
Cheers,
Arthas
yes, it works. thanks.
Furthermore, I also want to compare the 5 minutes' IP address to 1 hour's IP address from same user, do you have some idea?
Great !
Yeah, sure have a look here :
https://answers.splunk.com/answers/210749/how-to-compare-current-data-with-data-from-24-hour.html
You can use the same logic as follows to seperate data from last hour and last 15 min:
....
| eval WhichHour = case(_time>=relative_time(now(),"-1h@h"),"last hour",
_time<=relative_time(now(),"-15min@min"),"Last 15 min",
1==1,null())
|stats values(IP) by username,WhichHour
You can then combine the info to see if the IPs changed over time !
Cheers,
Uther The light bringer
thanks, David. I am really appreciate your help.
It's very close to the requirement, I got a good classification with your search, I also want to modify the different IP between "last hour" and "Last 15 min" that from the same user, list the username, different IP and "last hour" IP as columns in a chart.
thanks so much
Hi @lllidan
You're welcome ! Please up-vote comments and answers that you find helpful !
Could you please share the query you have so far along with the expected results ? Maybe an example table of what you'd like to achieve ?
could you give a sample logs?