Splunk Search

x followed by y in z time

Path Finder

I tried looking for something like this in answers and splunk docs and may not be using the right keywords.

Is there a way that I can do a search to find something like a failed login followed by a successful login within 10 minutes by a single user?

I was thinking about buckets, but I don't think that will work since I want to look 10 minutes after a specific event (login failure).

Conversely, I assume if I can find a way to do that, then I can find a way to also search for something like x not preceded by y (e.g. someone tries to log into one server without doing a virus scan 1st)

Thanks

Tags (2)
1 Solution

Motivator

Sounds like you need the transaction command.

Here are several links from the docs to get you started:
     http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Searchfortransactions
     http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Abouttransactions
     http://www.splunk.com/base/Documentation/4.1.6/AppManagement/Buildatransaction
     http://www.splunk.com/base/Documentation/4.1.6/SearchReference/Transaction
    

For example, for your first example, one approach might be:

Login
| transaction startswith=("Failure") maxspan=10m host,user
| search Success Failure

View solution in original post

Motivator

Sounds like you need the transaction command.

Here are several links from the docs to get you started:
     http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Searchfortransactions
     http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Abouttransactions
     http://www.splunk.com/base/Documentation/4.1.6/AppManagement/Buildatransaction
     http://www.splunk.com/base/Documentation/4.1.6/SearchReference/Transaction
    

For example, for your first example, one approach might be:

Login
| transaction startswith=("Failure") maxspan=10m host,user
| search Success Failure

View solution in original post

Motivator

You can add endswith=("Success") or similar in the 'transaction' command to force the end of a transaction as soon as it sees a success. The command also adds a new field called linecount to each combined result, so at that point you can search for linecount>10.

Path Finder

Or even better yet, 10 failures followed by a success.

0 Karma

Path Finder

What about if I want to make sure that Success comes before Failure? (bad example for login), but there is something else I am looking at where the order matters

0 Karma