Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search for username that got most 403 status code

sigma
Path Finder
‎07-23-2023 05:29 AM

1) I want to list top 10 usernames those got most 403 status codes.
     for example a username named sigma got 2000 of this code. I want to this username be in the top of the list.

2) I want to list top 10 usernames those got most 403 status code on some obejcts.
     for example username named sigma got 2000 of 403 status code on secret object.

 

fields: username, status_code, object_ref

Labels (1)
Labels
Tags (2)
0 Karma
Reply

Thulasinathan_M
Contributor
‎07-23-2023 07:38 AM

Hi @sigma ,

Replace index and sourcetype!!

For your first criteria, it should be something like below:

| index=XXX sourcetype=YYY
| stats count as MaxCount by status_code, username
| where status_code=403
| sort -MaxCount | head 10
| table username



Second criteria is not clear, but please check whether below query meets yours.

| index=XXX sourcetype=YYY
| stats count as MaxCount by status_code, username, object_ref
| where status_code=403
| sort -MaxCount | head 10
| table username

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-23-2023 07:37 AM 
| stats count(eval(status_code=="403")) as count by username
| sort 10 -count

Try something like this

Reply

sigma
Path Finder
‎07-23-2023 10:46 AM

thanks @ITWhisperer 
I'm very new to Splunk. I tried following search but it did not work:

 

index="XXX"
| stats count(eval(status_code=="403")) as count by username
| sort 10 -count

it gives me a list of all usernames with count 0 each.

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-23-2023 01:08 PM

It sounds like perhaps your status_code field has not been extracted correctly?

Here is a runanywhere example showing the code working.

| makeresults count=100
| fields - _time
| eval status_code="403"
| eval user="X".(random()%20)
| stats count(eval(status_code="403")) as count by user
| sort 10 -count

Which probably means your data does not match how you have described it - please can you provide anonymised examples of your events and the fields you have already extracted?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...