Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I edit my search to join multiple search results for user authentication failure counts?

kpavan
Path Finder
‎04-13-2016 04:03 AM

Hi All,

Am trying to join multiple searches for authentication failures from UserType (i.e, Windows User, Linux User, DATABASE User) which are there in the lookup file which contains user name and usertype. I would like to create chart for authfailure based on usertype. From the search below, I am getting a result count by usertype which is count of usertype present in the lookup file.

But, it's not giving me the result of the user authentication failure count. Could you please help me with the search on how to get the user authentication failure counts only for the lookup file user with usertype?

|inputlookup usertype.csv| join type=outer user [search index="wineventlog" source="wineventlog:security" EventCode="4625" |stats count by user] | append [search index=os source=*sshd.log OR source=*secure* | rex "sshd\W\d+\W:\s(?\w+)\s\w+\s\w+\s(?\w+)\s\w+\s(?\d+.\d+.\d+.\d+)"| stats count by user] | append [search index="dba" source=*dba ACTION_NAME="AuthFail" | rename USERNAME as user |stats count by user ]| chart count by UserType

This search output is > result is no of user per usertype which is wrong
UserType count
DATABASE 9
Linux 1
Windows 3

Need output like actual authfailure count

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎04-13-2016 07:14 PM

For what you've written, I don't know why you need the join. Join is a very expensive and slow operation. You also seem to be doing a lot with the field user, but then summarizing that out of the whole piece with the final chart count by UserType.

Try this:

index="wineventlog" source="wineventlog:security" EventCode="4625" | eval UserType="Windows" |stats count as Failure_Count by UserType
| append [search index=os source=*sshd.log OR source=*secure* | rex "sshd\W\d+\W:\s(?\w+)\s\w+\s\w+\s( ?\w+)\s\w+\s(?\d+.\d+.\d+.\d+)" | eval UserType="Linux" |stats count as Failure_Count by UserType ] 
| append [search index="dba" source=*dba ACTION_NAME="AuthFail" | rename USERNAME as user | eval UserType="Database" |stats count as Failure_Count by UserType ]

I MAY have mistyped something, but that ought to get you the output you wanted (well, with right numbers).

If the numbers aren't right, you should be able to test each piece separately, too, like the middle one is:

index=os source=*sshd.log OR source=*secure* | rex "sshd\W\d+\W:\s(?\w+)\s\w+\s\w+\s( ?\w+)\s\w+\s(?\d+.\d+.\d+.\d+)"| stats count as Failure_Count by user | eval UserType="Linux"

Let us know how that works!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...