Splunk Search

How to write a search for a dashboard to display all the users (based on uid) who entered the invalid credentials?

krishnacasso
Path Finder

I need some help writing a search for a dashboard to display all the users (based on uid) who entered the invalid credentials.

Sample Data:

[8375/9823654792][Tue Feb 12 2016 11:47:48][SmDsLdapFunctionImpl.cpp:469][ERROR]sm-Ldap-49264 DN: 'uid=dkcckd01,ou=users,ou=External,dc=abc,dc=com' . Status: Error 49 . Invalid credentials
[8375/9823654792][Tue Feb 12 2016 12:00:48][SmDsLdapFunctionImpl.cpp:469][ERROR]sm-Ldap-49264 DN: 'uid=dkmkmd01,ou=users,ou=External,dc=abc,dc=com' . Status: Error 49 . Invalid credentials
[8375/9823654792][Tue Feb 12 2016 12:30:43][SmDsLdapFunctionImpl.cpp:469][ERROR]sm-Ldap-49264 DN: 'uid=rohnas01,ou=users,ou=External,dc=abc,dc=com' . Status: Error 49 . Invalid credentials

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Something like this?

index=foo sourcetype=bar Status "Error 49" "Invalid credentials" | rex "DN:\s*'uid=(?<uid>[^,]+)" | stats count by uid

Once that works for you, make sure to move field extractions to the configuration (Settings -> Fields) instead of having to extract them in every single search.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Something like this?

index=foo sourcetype=bar Status "Error 49" "Invalid credentials" | rex "DN:\s*'uid=(?<uid>[^,]+)" | stats count by uid

Once that works for you, make sure to move field extractions to the configuration (Settings -> Fields) instead of having to extract them in every single search.

martin_mueller
SplunkTrust
SplunkTrust

This comes close:

... | rex ... | bin span=1m _time | stats count by _time uid | where count > 5
0 Karma

krishnacasso
Path Finder

Thanks Martin,
Is there any way to write a search with condition,
When One specific user was trying to access application for more than 5 times in a one minute span with the invalid credentials.

Thanks,
Krishna.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...