Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

x followed by y in z time

tawollen
Path Finder
‎12-30-2010 03:14 AM

I tried looking for something like this in answers and splunk docs and may not be using the right keywords.

Is there a way that I can do a search to find something like a failed login followed by a successful login within 10 minutes by a single user?

I was thinking about buckets, but I don't think that will work since I want to look 10 minutes after a specific event (login failure).

Conversely, I assume if I can find a way to do that, then I can find a way to also search for something like x not preceded by y (e.g. someone tries to log into one server without doing a virus scan 1st)

Thanks

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎12-30-2010 04:05 AM

Sounds like you need the transaction command.

Here are several links from the docs to get you started:
     http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Searchfortransactions
     http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Abouttransactions
     http://www.splunk.com/base/Documentation/4.1.6/AppManagement/Buildatransaction
     http://www.splunk.com/base/Documentation/4.1.6/SearchReference/Transaction
    

For example, for your first example, one approach might be:

Login
| transaction startswith=("Failure") maxspan=10m host,user
| search Success Failure

View solution in original post

Reply
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎12-30-2010 04:05 AM

Sounds like you need the transaction command.

Here are several links from the docs to get you started:
     http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Searchfortransactions
     http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Abouttransactions
     http://www.splunk.com/base/Documentation/4.1.6/AppManagement/Buildatransaction
     http://www.splunk.com/base/Documentation/4.1.6/SearchReference/Transaction
    

For example, for your first example, one approach might be:

Login
| transaction startswith=("Failure") maxspan=10m host,user
| search Success Failure
Reply
Solved! Jump to solution

southeringtonp
Motivator
‎12-30-2010 06:30 PM

You can add endswith=("Success") or similar in the 'transaction' command to force the end of a transaction as soon as it sees a success. The command also adds a new field called linecount to each combined result, so at that point you can search for linecount>10.

Reply
Solved! Jump to solution

tawollen
Path Finder
‎12-30-2010 05:04 PM

Or even better yet, 10 failures followed by a success.

0 Karma
Reply
Solved! Jump to solution

tawollen
Path Finder
‎12-30-2010 05:00 PM

What about if I want to make sure that Success comes before Failure? (bad example for login), but there is something else I am looking at where the order matters

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...