HI,
I have data like below,
Source_Address Event_Code Time User
10.10.10.010 4625 6/17/2014 00:12:26 Balaji
10.10.10.010 4625 6/17/2014 00:12:28 Balaji
10.10.10.010 4625 6/17/2014 00:12:30 Kumar
10.10.10.010 4624 6/17/2014 00:12:32 Rajesh
In the above sample data 4 events are there
So I want to get last row.
we have to search based on "time".First 3 times he got failed. Not only 3, its sample data which I mentioned in the above The Failed attempts could be any number if he/she succeed after so many failed logins I have to capture that IP and few fields.
Note:4625-Failed to login
4624-logged in
Try something like this
your base search | transaction Source_Address startswith=Event_Code=4625 endswith=Event_Code=4624 | where eventcount>3
This should give you event grouping starting with a failure attempt and ending with successful, with total count of failure+success(this will be 1 always) > 3 , so with more than 3 consecutive failure.
Updates
Give this a try
your base search Event_Code=4625 OR Event_Code=4624 | eval reset=if(Event_Code=4624,1,0) | accum reset | streamstats count by reset | eventstats max(count) as Max min(count) as Min by reset | where count=Max OR count=Min | streamstats window=1 current=f first(Event_Code) as prevEvent_Code first(count) as prevCount | where isnotnull(prevEvent_Code) AND count=1 AND prevCount >2 | fields - Max Min prevCount prevEvent_Code
and one more thing. by using transaction how many events can you search. I have 10000000 events in one index
endswith=EventCode=4624 is taking but statswith=EventCode=4625 not taking.
Can you provide more details on what was wrong with the output of this?
Thanks for your quick response.but its not working
Are you trying to count up the number of failures before successful login? I'd think you could do a transaction off the Source_Address, then check the lines for the transaction event per IP. Anywhere you have >1 line, you have some failures.
[search which renders your sample data] | transaction Source_Address | search linecount>1
I don't have your data in my Splunk instance to test this on, but I believe you should have multiple values for Event_Code after you make the transaction. So I think you'd want to do a post-search for "linecount>3 AND Event_Code=4624 AND Even_Code=4625"
No I am not going to count of failure logins. I want Source _IP User if he succeed after more than 3 consecutive failures.
if I do | transaction Source_Address. It will group the events by source_address fine.but my question is different you too understood.
thanks for ur answer..! exactly correct what u got.
The above doesn't handle the Event_Code, you'd need to add some code to handle that if you wanted something from it.
No I am not passing any time value.
actually that is Active Directory log.so what i am looking is succeeded user after so many failures.
I'm not sure what you mean by "we have to search based on time." If you're passing in time values, you can convert the Time field of your sample data to a time value for comparison purposes using the "convert" command. Other than that, just include an "Event_Code=4624" clause in your base search to get the results you want.
Is that what you're looking for?