Splunk Search

x followed by y in z time

tawollen
Path Finder

I tried looking for something like this in answers and splunk docs and may not be using the right keywords.

Is there a way that I can do a search to find something like a failed login followed by a successful login within 10 minutes by a single user?

I was thinking about buckets, but I don't think that will work since I want to look 10 minutes after a specific event (login failure).

Conversely, I assume if I can find a way to do that, then I can find a way to also search for something like x not preceded by y (e.g. someone tries to log into one server without doing a virus scan 1st)

Thanks

Tags (2)
1 Solution

southeringtonp
Motivator

Sounds like you need the transaction command.

Here are several links from the docs to get you started:
     http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Searchfortransactions
     http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Abouttransactions
     http://www.splunk.com/base/Documentation/4.1.6/AppManagement/Buildatransaction
     http://www.splunk.com/base/Documentation/4.1.6/SearchReference/Transaction
    

For example, for your first example, one approach might be:

Login
| transaction startswith=("Failure") maxspan=10m host,user
| search Success Failure

View solution in original post

southeringtonp
Motivator

Sounds like you need the transaction command.

Here are several links from the docs to get you started:
     http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Searchfortransactions
     http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Abouttransactions
     http://www.splunk.com/base/Documentation/4.1.6/AppManagement/Buildatransaction
     http://www.splunk.com/base/Documentation/4.1.6/SearchReference/Transaction
    

For example, for your first example, one approach might be:

Login
| transaction startswith=("Failure") maxspan=10m host,user
| search Success Failure

southeringtonp
Motivator

You can add endswith=("Success") or similar in the 'transaction' command to force the end of a transaction as soon as it sees a success. The command also adds a new field called linecount to each combined result, so at that point you can search for linecount>10.

tawollen
Path Finder

Or even better yet, 10 failures followed by a success.

0 Karma

tawollen
Path Finder

What about if I want to make sure that Success comes before Failure? (bad example for login), but there is something else I am looking at where the order matters

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...