im trying to get the count of succesfful login after multiple login failure
Try this
tag=good_login OR tag=bad_login
| eval login_type=if(tag="good_login","Success","Failure")
| table _time AccountName login_type
| streamstats window=1 current=f latest(login_type) as next_login by AccountName
| streamstats count(eval(next_login!=next_login)) as group by AccountName
| stats count(eval(next_login!=next_login)) as mismatch count(eval(next_login!=next_login)) as match by AccountName group
Assume that you have created tags for the following event codes:
tag good_login for event codes 528 540 4624
tag bad_login for event codes 529 530 531 532 533 534 535 536 537 539 4625
You don't have to have the tags, but it makes this example a lot easier.
This is a very simple search, which says "find all accounts that have more than 1 failed login, and also have at least 1 successful login."
tag=good_login [ tag=bad_login | stats count by Account | where count > 1 | fields Account ]
| stats count by Account
Here is another search, which groups together all the logins for an account from a particular IP address and then looks for accounts that have a series of failures followed by a success
tag=good_login OR tag=bad_login
| eval login_type=if(tag="good_login","Success","Failure")
| transaction Account src_ip endswith=login_type=Success
| where login_type="Success" and login_type="Failure" and eventcount > 2
Hopefully this will get you started...
thank you
But im not getting exactly what i want.For example if 15 logon failures occured and 16 th attempt was success i need to get count as 15 logon failures and 1 success for 1 account.The same thing i should get for different accounts .
Can you share some data examples? I.e. What does a bad login look like? What does a good login look like?
Also can you share an example of the final report you would like to see?