Splunk Search

How to edit my timechart search that shows the number of successful/failed logins over time, with a distinct count by user?

WhatTheSplunk
Engager

I am trying to find the number of successful/failed logins to my machine over time with a distinct count by user. This is the current search so far but I am unable to display a visualization for the below search:

source="/var/log/auth.log" 
| search "Failed Password" OR "Accepted Password" 
| table time srcHost dstHost user cmd process 
| timechart span=1h dc(user) by srcHost

I am currently returning four events but nothing is being displayed under the visualization tab. Any help would be appreciated.

Update 06Feb17:
I did not realize you needed to use the builtin _time field rather than one that I had parsed out of the log and named time. I have updated the query to represent as much:

source="/var/log/auth.log" 
| search "Failed Password" OR "Accepted Password" 
| eval type=if(searchmatch("Failed password"),"Fail","Success")
| table _time srcHost dstHost user cmd process type
| timechart span=1h count(type) by srcHost

Additionally, I added the new field type to highlight whether or not the entry is a failed login or a success. The visualization appears however the count(type) does not separate b/w the different values in type by srcHost. In other words within an hour span I want a column for each host with different colors representing success or failure rather than representing them all as one color.

1 Solution

somesoni2
SplunkTrust
SplunkTrust

The table command should be | table _time date srcHost dstHost user cmd process (_time). Is that a typo in the question?

View solution in original post

jackjack
Path Finder

Did you ever solve the second piece of your question?

"Additionally, I added the new field type to highlight whether or not the entry is a failed login or a success. The visualization appears however the count(type) does not separate b/w the different values in type by srcHost. In other words within an hour span I want a column for each host with different colors representing success or failure rather than representing them all as one color."

I am trying to figure this out now.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The table command should be | table _time date srcHost dstHost user cmd process (_time). Is that a typo in the question?

WhatTheSplunk
Engager

You were correct that was wrong... Working on Visualization now.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...