Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to check 30 minutes after an event in Splunk for a failed login attempt?

MM0071
Path Finder
‎02-28-2023 09:23 AM

I have a search in Splunk that returns events for failed logins. I want to be able to check 30 minutes after the event for that user to see if they didn't have a successful login. I'm struggling with the second part of this search. 

index=logins
| where AuthenticationResults="failed"
| eval failedLogin=strftime(_time,"%x %r")

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-28-2023 11:04 AM

Try something like this

index ... AuthenticationResult="failed" or AuthenticationResult="success"
| sort 0 - _time
| eval successtime = if(AuthenticationResult=="success", _time, null())
| streamstats last(successtime) as successtime by user
| where AuthenticationResult=="failed" AND (isnull(successtime) OR successtime - _time > 1800)

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-28-2023 11:04 AM

Try something like this

index ... AuthenticationResult="failed" or AuthenticationResult="success"
| sort 0 - _time
| eval successtime = if(AuthenticationResult=="success", _time, null())
| streamstats last(successtime) as successtime by user
| where AuthenticationResult=="failed" AND (isnull(successtime) OR successtime - _time > 1800)
Reply
Solved! Jump to solution

MM0071
Path Finder
‎03-02-2023 10:30 AM

Thank you a lot for this! Can you please explain me the logic of the last line?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-02-2023 02:30 PM

There are 3 cases to consider: 1 OK and 2 not Ok - the last line attempts to find the 2 not OK

_timestatussuccess time
10:20success10:20
10:10failed10:20

log in failed but there was a successful log in within 30 minutes

_timestatussuccess time
09:40failed 

log in failed but no successful log in (success time is null)

_timestatussuccess time
08:20success08:20
07:10failed08:20

log in failed but successful log in was 70 minutes after failure

0 Karma
Reply
Solved! Jump to solution

MM0071
Path Finder
‎03-03-2023 01:29 PM

Thank you greatly! This is what I was looking for! Do you know what I could do to only display failed in login attempts for users who did not authenticate after the 30 minutes? Would it be as simple as changing AuthenticationResult to "failure"?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-03-2023 01:37 PM

That is what the where command currently does.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...