Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to get the value of field if another field has same value in particular time period

thambisetty
SplunkTrust
SplunkTrust
‎06-17-2014 06:45 AM

HI,
I have data like below,
Source_Address Event_Code Time User
10.10.10.010 4625 6/17/2014 00:12:26 Balaji
10.10.10.010 4625 6/17/2014 00:12:28 Balaji
10.10.10.010 4625 6/17/2014 00:12:30 Kumar
10.10.10.010 4624 6/17/2014 00:12:32 Rajesh

In the above sample data 4 events are there
So I want to get last row.
we have to search based on "time".First 3 times he got failed. Not only 3, its sample data which I mentioned in the above The Failed attempts could be any number if he/she succeed after so many failed logins I have to capture that IP and few fields.
Note:4625-Failed to login
4624-logged in

————————————
If this helps, give a like below.
Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎06-17-2014 10:51 AM

Try something like this

your base search  | transaction Source_Address startswith=Event_Code=4625 endswith=Event_Code=4624 | where eventcount>3

This should give you event grouping starting with a failure attempt and ending with successful, with total count of failure+success(this will be 1 always) > 3 , so with more than 3 consecutive failure.

Updates

Give this a try

your base search Event_Code=4625 OR Event_Code=4624 | eval reset=if(Event_Code=4624,1,0) | accum reset  | streamstats count by reset | eventstats max(count) as Max min(count) as Min by reset | where count=Max OR count=Min | streamstats window=1 current=f first(Event_Code) as prevEvent_Code first(count) as prevCount  | where isnotnull(prevEvent_Code) AND count=1 AND prevCount >2 | fields - Max Min prevCount prevEvent_Code
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎06-19-2014 08:15 AM

and one more thing. by using transaction how many events can you search. I have 10000000 events in one index

————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎06-19-2014 08:05 AM

endswith=EventCode=4624 is taking but statswith=EventCode=4625 not taking.

————————————
If this helps, give a like below.
0 Karma
Reply

somesoni2
Revered Legend
‎06-18-2014 10:05 AM

Can you provide more details on what was wrong with the output of this?

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎06-17-2014 10:46 PM

Thanks for your quick response.but its not working

————————————
If this helps, give a like below.
0 Karma
Reply

jeremiahc4
Builder
‎06-17-2014 08:29 AM

Are you trying to count up the number of failures before successful login? I'd think you could do a transaction off the Source_Address, then check the lines for the transaction event per IP. Anywhere you have >1 line, you have some failures. 

[search which renders your sample data] | transaction Source_Address | search linecount>1
0 Karma
Reply

jeremiahc4
Builder
‎06-17-2014 09:07 AM

I don't have your data in my Splunk instance to test this on, but I believe you should have multiple values for Event_Code after you make the transaction. So I think you'd want to do a post-search for "linecount>3 AND Event_Code=4624 AND Even_Code=4625"

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎06-17-2014 08:56 AM

No I am not going to count of failure logins. I want Source _IP User if he succeed after more than 3 consecutive failures.

————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎06-17-2014 08:38 AM

if I do | transaction Source_Address. It will group the events by source_address fine.but my question is different you too understood.

————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎06-17-2014 08:36 AM

thanks for ur answer..! exactly correct what u got.

————————————
If this helps, give a like below.
0 Karma
Reply

jeremiahc4
Builder
‎06-17-2014 08:31 AM

The above doesn't handle the Event_Code, you'd need to add some code to handle that if you wanted something from it.

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎06-17-2014 08:17 AM

No I am not passing any time value.

————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎06-17-2014 07:50 AM

actually that is Active Directory log.so what i am looking is succeeded user after so many failures.

————————————
If this helps, give a like below.
0 Karma
Reply

aweitzman
Motivator
‎06-17-2014 07:05 AM

I'm not sure what you mean by "we have to search based on time." If you're passing in time values, you can convert the Time field of your sample data to a time value for comparison purposes using the "convert" command. Other than that, just include an "Event_Code=4624" clause in your base search to get the results you want.

Is that what you're looking for?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...