Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I edit my transaction search to find over 3 failed Windows logon events that happen within a 10 minute timespan?

strangelaw
Explorer
‎01-27-2016 08:43 AM

So I am working a bit with transaction and I am unable to verify how it should work. This is my search:

index = "myintestindex" sourcetype = "WinEventLog:Security" EventCode = 529 OR EventCode = 4625 AND Failure_Reason = "Unknown user name or bad password." | transaction maxspan=10m | table Account_Name, Failure_Reason

What I am looking for is a) to find all those EventCodes and Failure_Reason that happen on 10m span then b) to count that if there is over 3 of them on that specific 10min timespan. I dont want to end the search to Account_Name being allowed (so no failure).

This is on the simplest form and I do not want to do it with alert/reporting - but with a search.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-27-2016 09:40 AM

How about this

 index = "myintestindex" sourcetype = "WinEventLog:Security" EventCode = 529 OR EventCode = 4625 AND Failure_Reason = "Unknown user name or bad password." | transaction maxspan=10m Account_Name | table Account_Name Failure_Reason duration eventcount | where eventcount>=3

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-27-2016 09:40 AM

How about this

 index = "myintestindex" sourcetype = "WinEventLog:Security" EventCode = 529 OR EventCode = 4625 AND Failure_Reason = "Unknown user name or bad password." | transaction maxspan=10m Account_Name | table Account_Name Failure_Reason duration eventcount | where eventcount>=3
0 Karma
Reply
Solved! Jump to solution

strangelaw
Explorer
‎04-05-2016 08:08 AM

This forks. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...