Splunk Search

use stat count

Explorer

I working on a query to pinpoint a login attempt failure on a particular network address.. hence i use a count stat on network address, here is my query

source = "WinEventLog:Security"  EventCode="529" | bucket _time span=15m | stats count(Source_Network_Address) as y by _time Source_Network_Address User_Name Workstation_Name Source_Port 

however, the result is not as ideal as i want... now seems like it is counting asdasd (userName) where i want the source 10.110.12.143 being count how many time with the bucket of 15 minute regardless on what user_name

so if i do the following

source = "WinEventLog:Security"  EventCode="529" | bucket _time span=15m | stats count(Source_Network_Address) as y by _time Source_Network_Address User_Name Workstation_Name Source_Port | search y >3

i only get result from user_name asdasd
Anyone can guide me on this?

  time                   source_network_Address User_Name Workstation_Name Source_Port y
  6/25/12 4:15:00.000 PM 10.110.12.143          134        SGVM-QA0012         2149    1 
  6/25/12 4:15:00.000 PM 10.110.12.143          asdasd     SGVM-QA0012         2149    4 
  6/25/12 4:15:00.000 PM 10.110.12.143          dfsfds     SGVM-QA0012         2257    1 
  6/25/12 4:15:00.000 PM 10.110.12.143          iojioj     SGVM-QA0012         2149    1 
  6/25/12 4:15:00.000 PM 10.110.12.143          kjnhg      SGVM-QA0012         2257    1 
  6/25/12 4:15:00.000 PM 10.110.12.143          rtyjk      SGVM-QA0012         2257    1 
  6/25/12 4:30:00.000 PM 10.110.12.143          admin      SGVM-QA0012         2118    1 
  6/25/12 4:30:00.000 PM 10.110.12.143          admin      SGVM-QA0012         2280    1 
  6/25/12 4:30:00.000 PM 10.110.12.143          hjtyjty    SGVM-QA0012         2118    1 
Tags (1)
0 Karma
1 Solution

Ultra Champion

As Ayn says, you're complicating it too much. If you only want to find out how many failed login attempts have been made towards this particular host in each 15 minute period, the following should work.

source = "WinEventLog:Security"  EventCode="529" Source_Network_Address=10.110.12.143 | bucket _time span=15m | stats count(Source_Network_Address) as y by _time

UPDATE:

Would this be what you want?

source = "WinEventLog:Security"  EventCode="529"  | bucket _time span=15m | stats count values(User_Name) as y by _time Source_Network_Address

/Kristian

View solution in original post

Ultra Champion

As Ayn says, you're complicating it too much. If you only want to find out how many failed login attempts have been made towards this particular host in each 15 minute period, the following should work.

source = "WinEventLog:Security"  EventCode="529" Source_Network_Address=10.110.12.143 | bucket _time span=15m | stats count(Source_Network_Address) as y by _time

UPDATE:

Would this be what you want?

source = "WinEventLog:Security"  EventCode="529"  | bucket _time span=15m | stats count values(User_Name) as y by _time Source_Network_Address

/Kristian

View solution in original post

Explorer

great!!!
thanks for the update.. it worked now!

0 Karma

Ultra Champion

see update above. /k

0 Karma

Explorer

hi,
Thanks for the suggestion..
I got your point.
However, the sample i offer is because i only test on my computer hence the network address is the same..
i require to detect ANY OF network_address, it is not particular 1 address.
But, anyway still thank you for your point.

0 Karma

Legend

If you don't want it to split by username, then why are you splitting by username?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!