I have a search in Splunk that returns events for failed logins. I want to be able to check 30 minutes after the event for that user to see if they didn't have a successful login. I'm struggling with the second part of this search.
index=logins
| where AuthenticationResults="failed"
| eval failedLogin=strftime(_time,"%x %r")
Try something like this
index ... AuthenticationResult="failed" or AuthenticationResult="success"
| sort 0 - _time
| eval successtime = if(AuthenticationResult=="success", _time, null())
| streamstats last(successtime) as successtime by user
| where AuthenticationResult=="failed" AND (isnull(successtime) OR successtime - _time > 1800)
Try something like this
index ... AuthenticationResult="failed" or AuthenticationResult="success"
| sort 0 - _time
| eval successtime = if(AuthenticationResult=="success", _time, null())
| streamstats last(successtime) as successtime by user
| where AuthenticationResult=="failed" AND (isnull(successtime) OR successtime - _time > 1800)
Thank you a lot for this! Can you please explain me the logic of the last line?
There are 3 cases to consider: 1 OK and 2 not Ok - the last line attempts to find the 2 not OK
_time | status | success time |
10:20 | success | 10:20 |
10:10 | failed | 10:20 |
log in failed but there was a successful log in within 30 minutes
_time | status | success time |
09:40 | failed |
log in failed but no successful log in (success time is null)
_time | status | success time |
08:20 | success | 08:20 |
07:10 | failed | 08:20 |
log in failed but successful log in was 70 minutes after failure
Thank you greatly! This is what I was looking for! Do you know what I could do to only display failed in login attempts for users who did not authenticate after the 30 minutes? Would it be as simple as changing AuthenticationResult to "failure"?
That is what the where command currently does.