I tried looking for something like this in answers and splunk docs and may not be using the right keywords.
Is there a way that I can do a search to find something like a failed login followed by a successful login within 10 minutes by a single user?
I was thinking about buckets, but I don't think that will work since I want to look 10 minutes after a specific event (login failure).
Conversely, I assume if I can find a way to do that, then I can find a way to also search for something like x not preceded by y (e.g. someone tries to log into one server without doing a virus scan 1st)
Thanks
Sounds like you need the transaction
command.
Here are several links from the docs to get you started:
http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Searchfortransactions
http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Abouttransactions
http://www.splunk.com/base/Documentation/4.1.6/AppManagement/Buildatransaction
http://www.splunk.com/base/Documentation/4.1.6/SearchReference/Transaction
For example, for your first example, one approach might be:
Login
| transaction startswith=("Failure") maxspan=10m host,user
| search Success Failure
Sounds like you need the transaction
command.
Here are several links from the docs to get you started:
http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Searchfortransactions
http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Abouttransactions
http://www.splunk.com/base/Documentation/4.1.6/AppManagement/Buildatransaction
http://www.splunk.com/base/Documentation/4.1.6/SearchReference/Transaction
For example, for your first example, one approach might be:
Login
| transaction startswith=("Failure") maxspan=10m host,user
| search Success Failure
You can add endswith=("Success") or similar in the 'transaction' command to force the end of a transaction as soon as it sees a success. The command also adds a new field called linecount to each combined result, so at that point you can search for linecount>10.
Or even better yet, 10 failures followed by a success.
What about if I want to make sure that Success comes before Failure? (bad example for login), but there is something else I am looking at where the order matters