I need some help writing a search for a dashboard to display all the users (based on uid) who entered the invalid credentials.
Sample Data:
[8375/9823654792][Tue Feb 12 2016 11:47:48][SmDsLdapFunctionImpl.cpp:469][ERROR]sm-Ldap-49264 DN: 'uid=dkcckd01,ou=users,ou=External,dc=abc,dc=com' . Status: Error 49 . Invalid credentials
[8375/9823654792][Tue Feb 12 2016 12:00:48][SmDsLdapFunctionImpl.cpp:469][ERROR]sm-Ldap-49264 DN: 'uid=dkmkmd01,ou=users,ou=External,dc=abc,dc=com' . Status: Error 49 . Invalid credentials
[8375/9823654792][Tue Feb 12 2016 12:30:43][SmDsLdapFunctionImpl.cpp:469][ERROR]sm-Ldap-49264 DN: 'uid=rohnas01,ou=users,ou=External,dc=abc,dc=com' . Status: Error 49 . Invalid credentials
Something like this?
index=foo sourcetype=bar Status "Error 49" "Invalid credentials" | rex "DN:\s*'uid=(?<uid>[^,]+)" | stats count by uid
Once that works for you, make sure to move field extractions to the configuration (Settings -> Fields) instead of having to extract them in every single search.
Something like this?
index=foo sourcetype=bar Status "Error 49" "Invalid credentials" | rex "DN:\s*'uid=(?<uid>[^,]+)" | stats count by uid
Once that works for you, make sure to move field extractions to the configuration (Settings -> Fields) instead of having to extract them in every single search.
This comes close:
... | rex ... | bin span=1m _time | stats count by _time uid | where count > 5
Thanks Martin,
Is there any way to write a search with condition,
When One specific user was trying to access application for more than 5 times in a one minute span with the invalid credentials.
Thanks,
Krishna.