Splunk Search

Search query for showing Connection attempts per user to same Destination

neerajs_81
Builder

Hello All,
I have a query that searches the Windows Security Logs and shows results in the following format using a stats function .  As you can see , i am grouping connection attempts from multiple users to a particular Dest .
Also,  the "Connection Attempts" takes into account the total # for all the users listed under "User" per row.

 

index=xxx source="WinEventLog:Security" EventCode=4624
| stats values(dest_ip), values(src), values(src_ip),values(user), dc(user) as userCount, count as "Connection Attempts" by dest

 

DestDest_IPSrcSRC_IPuserCountUser Connection Attempts
XXXXXXXXXXXX3User A User B User C9
XXXXXXXXXXXX2User D User E78
       

 

I would like to show how many connection attempts were made by each user.  How to segregate this data per user ?

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

If you aggregate, there's no way to "unaggregate" so instead of doing values(user) you'd need to just do your stats "by dest user". But then you lose the overall aggregation on dest.

Sorry, these are two different aggregations and you have to do them separately if you want to have two charts - one by user and one by dest.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...