Splunk Search

How to edit my eventstats search to return a count of failed authentications greater than ten within a ten minute window?

jph11
New Member

Been working on a report to show the best data on authentications failed more than ten times in a time span of 10 mins.

Am I headed the right direction? I'm just questioning my count in the table whether or not it is correct:

index=wineventlog action=failure user!=*$ signature!="Kerberos pre-authentication failed" signature!="A Kerberos authentication ticket (TGT) was requested"  | eventstats count(user) as failure_count by src_ip | bucket _time span=10m |  where failure_count>10 | dedup src_ip |table user user_first user_last signature, src_ip, failure_count | rename user as User, user_first as "First Name" , user_last as "Last Name" , signature as "Failure Reason" , src_ip as "Source IP" , failure_count as Count

Appreciate any and all help.

0 Karma

sundareshr
Legend

Move the bucket to before the eventstas and group eventstats by _time as well. Like this

 index=wineventlog action=failure user!=*$ signature!="Kerberos pre-authentication failed" signature!="A Kerberos authentication ticket (TGT) was requested"  | bucket _time span=10m | eventstats count(user) as failure_count by _time src_ip | where failure_count>10 | dedup src_ip | table user user_first user_last signature, src_ip, failure_count | rename user as User, user_first as "First Name" , user_last as "Last Name" , signature as "Failure Reason" , src_ip as "Source IP" , failure_count as Count
0 Karma

jph11
New Member

I think this is close, but comparing my numbers in the count field to raw events it seems way off.
I had been using just stats but needed more info in the table. Heres the stats command I was using that i felt was accurate

Thoughts?

index=wineventlog OR index=cisco_auth action=failure user!=*$ signature!="Kerberos pre-authentication failed" signature!="A Kerberos authentication ticket (TGT) was requested" | stats  count by user,signature,src_ip| where  count > 10 |  bucket _time span=10m |
0 Karma

sundareshr
Legend

Here the difference between the two searches..

In the search I provided, the count is grouped by _time (10m increment) and src_ip

and in your search the count is grouped by user, signature and src_ip (more group by fields and no time field)

To check the count, try this search

index=wineventlog action=failure user!=*$ signature!="Kerberos pre-authentication failed" signature!="A Kerberos authentication ticket (TGT) was requested"  | timechart span=10m count as failure_count by src_ip
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...