×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Kerghan666
New Member
Member since: ‎09-17-2020
‎09-18-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-17-2020
Activity Feed
View All

Join 2 queries and obtain count of rows of right s...

by in Splunk Search
‎09-17-2020 08:53 PM
‎09-17-2020 08:53 PM
Hi, I am trying to obtain user locked out events (4740) while performing a join with failed password events (4625 logontype 2) and obtain a count of the failed logons on the same day to display with the lockout event.   e.g. User = ForgetfulFrank Event = 4740 Failed Password Attempts = 5   User = PasswordPete Event = 4740 Failed Password Attempts = 2   etc.   using the following query: index=wineventlog sourcetype=WinEventLog source="WinEventLog:Security" EventCode = 4740 AND user="stuarj*" | eval User = user | eval eventTime=strftime(_time, "%Y%m%d") | eval source_account = mvindex(Account_Name,0) | eval target_account = mvindex(Account_Name,1) | join User, eventTime [search index=wineventlog sourcetype=WinEventLog source="WinEventLog:Security" EventCode=4625 AND Logon_Type=2 | eval UserList=split(user,"@") | eval User=mvindex(UserList,0) | eval eventTime=strftime(_time, "%Y%m%d") | eventstats count(RecordNumber) AS "Failed Password Attempts" | fields UserList, User, eventTime, BPT, "Failed Password Attempts"] | rename dest_nt_domain AS "Domain", ComputerName AS "Actioned Server", Caller_Computer_Name AS "Lockout source", source_account AS "Admin Account", target_account AS "Account Locked", EventCode AS "Event Code", status AS "Status", "EventCodeDescription" AS "Description", _time AS "Time" | convert timeformat="%d/%m/%Y %H:%M:%S" ctime("Time") | table Domain, "Actioned Server", "Lockout source", "Admin Account", "Account Locked", "Failed Password Attempts", "Event Code", Status, Description, Time | sort Time   Currently the value for Failed Password Attempts is the total number of records returned for the joined query and not specific only for the user it is performing the join on. I have tried including a where clause to ensure only results for the specific user in the first query are returned e.g. | Where User=user  but this has not helped. How do I obtain the specific number of records returned in the second query specific to the fields performing the join only. Easily done in SQL but this seems to behave differently. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-18-2020 12:45 AM