×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
brucewhaleham21
Loves-to-Learn Lots
Member since: ‎07-05-2023
‎07-06-2023
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-05-2023
View All

Re: Help with splunk query to find login events th...

by in Splunk Search
‎07-05-2023 12:00 PM
‎07-05-2023 12:00 PM
lowerBound and upperBound should be different for each user. I was hoping to get those values as an average over 30 day period but I guess I would only want to evaluate that on weekdays and not weekends. Having strdev calculated was just to assist with determining the upper and lower bound. Ideally, the upper and lower bound would be calculated for each user(over a 30 day period) and then every logon event would be evaluated according to those upper and lower bounds. The weekday vs weekend problem could be ignored and just time would be enough for me ... View more

Help with splunk query to find login events that h...

by in Splunk Search
‎07-05-2023 11:28 AM
‎07-05-2023 11:28 AM
Working on a splunk query to find login events that occur outside of the users' typical sign in times. I do not want to get an average of all users, just the upper and lower bounds of each individual and then determine if a login event is an outlier   index=o365 sourcetype="o365:management:activity" Workload=AzureActiveDirectory Operation=UserLoggedIn | eventstats avg("_time") AS avg stdev("_time") AS stdev | foreach UserID eval lowerBound=(avg-stdev*exact(2)), upperBound=(avg+stdev*exact(2)) | eval isOutlier=if('_time' < lowerBound OR '_time' > upperBound, 1, 0) | search isOutlier=1 ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-06-2023 10:06 AM