Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Deleted topic

attschh1
New Member
‎10-20-2016 12:26 AM

Delete

Tags (1)
0 Karma
Reply

maciep
Champion
‎10-24-2016 07:38 PM

I saw you respond to the first answer that it wasn't you wanted, so just trying to be sure we all understand exactly what you do want.....

When you say failed 3 times, do you mean 3 times in one day? Or 3 times over the entire previous month? And then depending on that answer, what do you by 3 consecutive days. So a user had a failed logon at least 3 times per day for 3 consecutive days? Or just 3 consecutive and at least 3 times over the month?

I'm also confused a bit on what you want returned. Could you elaborate a bit on what "the name of the agent and total user counts" means? And/or, given the sample data you provided, exactly what sort of results would you expect to see?

And since you do want to see agent in the results, are the failed logon requirements at the agent level too? Meaning, if a user has a logon failure 3 days in a row but 2 days are for one agent and 1 day is for another, does that count?

0 Karma
Reply

attschh1
New Member
‎10-24-2016 07:57 PM

Sorry for making you confuse.

What i want is

  • If the user failed login for 3 times and consecutively for 3 days (In any days of the month for example if this happen in 01,02,03 and 10,11,12 it will be 2 counts). Then just return the uid and the count.

We can ignore the agent part for now first.

I hope that you can understand better on what i want.

Thanks a lot for your time

0 Karma
Reply

sundareshr
Legend
‎10-20-2016 09:32 AM

See if this works

index="SM" AuthReject uid=* earliest=-30d@d | bin span=1d _time | stats count by uid _time | where count>2 | delta _time as d | transaction d uid maxevents=3
0 Karma
Reply

attschh1
New Member
‎10-24-2016 07:13 PM

Not what i wanted. But thanks a lot for your effort!

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...