cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
SausagePizzza
Engager
Member since: ‎09-30-2020
‎11-17-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎09-30-2020
Activity Feed
View All

Get event count for last hour, event count for yes...

by in Splunk Search
‎11-17-2020 06:30 AM
1 Karma
‎11-17-2020 06:30 AM
1 Karma
Hello,  I'm trying to get a few things from my tstats search: count for last hour count for yesterday Use the two counts to get % change Typically I'd do a nested eval statement to get the info but it does not work with tstats:   | eval lastHours = relative_time(now(),"-h@h") | eval yesterday = relative_time("-1d@d","-2d@d") | stats count(yesterday) as yesterday count(lastHours) as lastHours by user src_ip | eval ChangePercent = (lastHours - yesterday) / 100     How would I get the info above with tstats?   | tstats `summariesonly` values(All_Traffic.src_zone) AS src_zone, values(All_Traffic.dest_ip) AS dest_ip, values(All_Traffic.dest_zone) AS dest_zone, values(All_Traffic.dest_port) AS dest_port, values(All_Traffic.rule) AS rule, values(All_Traffic.app) AS app, values(sourcetype) as event_source from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="allowed" AND (earliest=-2d@d latest=now) by All_Traffic.user, All_Traffic.src_ip | `drop_dm_object_name("All_Traffic")`     ... View more
Labels

How to return results in sub-search only if it doe...

by in Splunk Search
‎09-30-2020 12:34 PM
‎09-30-2020 12:34 PM
Hello, Using the o365:management:activity logs, I'm trying to create a search where I: Get a list of users and their IP addresses, who failed MFA Get a list of successful login IP addresses we seen before for the users identified in Step 1 and compare the results. Return the list of users and their IP addresses which were not in Step 2. The idea is to return the IP addresses that failed MFA which never had a successful log in before.  What's the best way to develop this search? I initially thought about doing a search where the sub-search would be the following (return a list of users and their IPs who failed MFA):     index=o365 sourcetype=o365:management:activity Workload=AzureActiveDirectory Operation=UserLoginFailed (LogonError=UserStrongAuthClientAuthNRequiredInterrupt OR LogonError=DeviceAuthenticationRequired OR LogonError=DeviceAuthenticationFailed) earliest=-2h@h latest=now | stats count by UserId ClientIP       and then the main search would grab the successful login IP addresses for the users and compare the results. If the IP address that failed MFA was not in the list of successful login IPs, return that IP and user.  I wasn't able to get that to work. Is this possible? Is this the best approach? This appeared to work but the performance is painful:     index=o365 sourcetype=o365:management:activity Workload=AzureActiveDirectory Operation=UserLoginFailed (LogonError=UserStrongAuthClientAuthNRequiredInterrupt OR LogonError=DeviceAuthenticationRequired OR LogonError=DeviceAuthenticationFailed) earliest=-1h@h latest=now NOT [ search index=o365 sourcetype=o365:management:activity Workload=AzureActiveDirectory Operation=UserLoggedIn earliest=-7d latest=-4h@h | dedup ClientIP UserId | table ClientIP UserId] | stats count by ClientIP UserId Operation     Thanks in advance. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-17-2020 05:38 PM
Karma from
View All