tstats and _time span

jacqu3sy · ‎03-14-2017

Hi,

Still not sure on the '_time span=5s' element of the following search. The goal is to alert when a source device fails
to login to greater than 10 destinations in a 5 second period. If I run this search over say, 7 days, I get failed logins
from the same source device to multiple destinations but they are spaced out over a much greater time period than the 5 seconds
Im looking for.

Any thoughts?

| tstats summariesonly count from datamodel=Authentication where nodename=Authentication.Failed_Authentication
by "Authentication.src","Authentication.dest", "Authentication.src_user" _time span=5s
| rename "Authentication.src" as "Source_Device", "Authentication.dest" AS "Destination"
| stats dc(Destination) AS Total_Dest, values(Destination) AS List_Destinations, by Source_Device,
| where Total_Dest > 10

hardikJsheth · ‎03-14-2017

Try with this.

| tstats summariesonly=true  count from datamodel=Authentication where nodename=Authentication.Failed_Authentication 
by "Authentication.src","Authentication.dest", "Authentication.src_user",_time 
| rename "Authentication.src" as "Source_Device", "Authentication.dest" AS "Destination" 
| timechart span=5s dc(Destination) AS Total_Dest, values(Destination) AS List_Destinations | where Total_Dest >1

jacqu3sy · ‎03-14-2017

Nope. If I run that over a period of 7 days it just gives me a breakdown by day of destinations where a failed login has occurred. I need something which takes a source address and then calculates where that device has failed to login to move than 10 destinations within a 5 second period and alerts accordingly.

tstats and _time span

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor