- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- x followed by y in z time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried looking for something like this in answers and splunk docs and may not be using the right keywords.
Is there a way that I can do a search to find something like a failed login followed by a successful login within 10 minutes by a single user?
I was thinking about buckets, but I don't think that will work since I want to look 10 minutes after a specific event (login failure).
Conversely, I assume if I can find a way to do that, then I can find a way to also search for something like x not preceded by y (e.g. someone tries to log into one server without doing a virus scan 1st)
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like you need the transaction command.
Here are several links from the docs to get you started:
http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Searchfortransactions
http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Abouttransactions
http://www.splunk.com/base/Documentation/4.1.6/AppManagement/Buildatransaction
http://www.splunk.com/base/Documentation/4.1.6/SearchReference/Transaction
For example, for your first example, one approach might be:
Login
| transaction startswith=("Failure") maxspan=10m host,user
| search Success Failure
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like you need the transaction command.
Here are several links from the docs to get you started:
http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Searchfortransactions
http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Abouttransactions
http://www.splunk.com/base/Documentation/4.1.6/AppManagement/Buildatransaction
http://www.splunk.com/base/Documentation/4.1.6/SearchReference/Transaction
For example, for your first example, one approach might be:
Login
| transaction startswith=("Failure") maxspan=10m host,user
| search Success Failure
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can add endswith=("Success") or similar in the 'transaction' command to force the end of a transaction as soon as it sees a success. The command also adds a new field called linecount to each combined result, so at that point you can search for linecount>10.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or even better yet, 10 failures followed by a success.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What about if I want to make sure that Success comes before Failure? (bad example for login), but there is something else I am looking at where the order matters
Devesh Logendran, Splunk, and the Singapore Cyber Conquest
There's No Place Like Chrome and the Splunk Platform
Customer Experience | Join the Customer Advisory Board!
