Splunk Search

use stat count

sg5258
Explorer

I working on a query to pinpoint a login attempt failure on a particular network address.. hence i use a count stat on network address, here is my query

source = "WinEventLog:Security"  EventCode="529" | bucket _time span=15m | stats count(Source_Network_Address) as y by _time Source_Network_Address User_Name Workstation_Name Source_Port 

however, the result is not as ideal as i want... now seems like it is counting asdasd (userName) where i want the source 10.110.12.143 being count how many time with the bucket of 15 minute regardless on what user_name

so if i do the following

source = "WinEventLog:Security"  EventCode="529" | bucket _time span=15m | stats count(Source_Network_Address) as y by _time Source_Network_Address User_Name Workstation_Name Source_Port | search y >3

i only get result from user_name asdasd
Anyone can guide me on this?

  time                   source_network_Address User_Name Workstation_Name Source_Port y
  6/25/12 4:15:00.000 PM 10.110.12.143          134        SGVM-QA0012         2149    1 
  6/25/12 4:15:00.000 PM 10.110.12.143          asdasd     SGVM-QA0012         2149    4 
  6/25/12 4:15:00.000 PM 10.110.12.143          dfsfds     SGVM-QA0012         2257    1 
  6/25/12 4:15:00.000 PM 10.110.12.143          iojioj     SGVM-QA0012         2149    1 
  6/25/12 4:15:00.000 PM 10.110.12.143          kjnhg      SGVM-QA0012         2257    1 
  6/25/12 4:15:00.000 PM 10.110.12.143          rtyjk      SGVM-QA0012         2257    1 
  6/25/12 4:30:00.000 PM 10.110.12.143          admin      SGVM-QA0012         2118    1 
  6/25/12 4:30:00.000 PM 10.110.12.143          admin      SGVM-QA0012         2280    1 
  6/25/12 4:30:00.000 PM 10.110.12.143          hjtyjty    SGVM-QA0012         2118    1 
Tags (1)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

As Ayn says, you're complicating it too much. If you only want to find out how many failed login attempts have been made towards this particular host in each 15 minute period, the following should work.

source = "WinEventLog:Security"  EventCode="529" Source_Network_Address=10.110.12.143 | bucket _time span=15m | stats count(Source_Network_Address) as y by _time

UPDATE:

Would this be what you want?

source = "WinEventLog:Security"  EventCode="529"  | bucket _time span=15m | stats count values(User_Name) as y by _time Source_Network_Address

/Kristian

View solution in original post

kristian_kolb
Ultra Champion

As Ayn says, you're complicating it too much. If you only want to find out how many failed login attempts have been made towards this particular host in each 15 minute period, the following should work.

source = "WinEventLog:Security"  EventCode="529" Source_Network_Address=10.110.12.143 | bucket _time span=15m | stats count(Source_Network_Address) as y by _time

UPDATE:

Would this be what you want?

source = "WinEventLog:Security"  EventCode="529"  | bucket _time span=15m | stats count values(User_Name) as y by _time Source_Network_Address

/Kristian

sg5258
Explorer

great!!!
thanks for the update.. it worked now!

0 Karma

kristian_kolb
Ultra Champion

see update above. /k

0 Karma

sg5258
Explorer

hi,
Thanks for the suggestion..
I got your point.
However, the sample i offer is because i only test on my computer hence the network address is the same..
i require to detect ANY OF network_address, it is not particular 1 address.
But, anyway still thank you for your point.

0 Karma

Ayn
Legend

If you don't want it to split by username, then why are you splitting by username?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...