Splunk Search

use stat count

sg5258
Explorer

I working on a query to pinpoint a login attempt failure on a particular network address.. hence i use a count stat on network address, here is my query

source = "WinEventLog:Security"  EventCode="529" | bucket _time span=15m | stats count(Source_Network_Address) as y by _time Source_Network_Address User_Name Workstation_Name Source_Port 

however, the result is not as ideal as i want... now seems like it is counting asdasd (userName) where i want the source 10.110.12.143 being count how many time with the bucket of 15 minute regardless on what user_name

so if i do the following

source = "WinEventLog:Security"  EventCode="529" | bucket _time span=15m | stats count(Source_Network_Address) as y by _time Source_Network_Address User_Name Workstation_Name Source_Port | search y >3

i only get result from user_name asdasd
Anyone can guide me on this?

  time                   source_network_Address User_Name Workstation_Name Source_Port y
  6/25/12 4:15:00.000 PM 10.110.12.143          134        SGVM-QA0012         2149    1 
  6/25/12 4:15:00.000 PM 10.110.12.143          asdasd     SGVM-QA0012         2149    4 
  6/25/12 4:15:00.000 PM 10.110.12.143          dfsfds     SGVM-QA0012         2257    1 
  6/25/12 4:15:00.000 PM 10.110.12.143          iojioj     SGVM-QA0012         2149    1 
  6/25/12 4:15:00.000 PM 10.110.12.143          kjnhg      SGVM-QA0012         2257    1 
  6/25/12 4:15:00.000 PM 10.110.12.143          rtyjk      SGVM-QA0012         2257    1 
  6/25/12 4:30:00.000 PM 10.110.12.143          admin      SGVM-QA0012         2118    1 
  6/25/12 4:30:00.000 PM 10.110.12.143          admin      SGVM-QA0012         2280    1 
  6/25/12 4:30:00.000 PM 10.110.12.143          hjtyjty    SGVM-QA0012         2118    1 
Tags (1)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

As Ayn says, you're complicating it too much. If you only want to find out how many failed login attempts have been made towards this particular host in each 15 minute period, the following should work.

source = "WinEventLog:Security"  EventCode="529" Source_Network_Address=10.110.12.143 | bucket _time span=15m | stats count(Source_Network_Address) as y by _time

UPDATE:

Would this be what you want?

source = "WinEventLog:Security"  EventCode="529"  | bucket _time span=15m | stats count values(User_Name) as y by _time Source_Network_Address

/Kristian

View solution in original post

kristian_kolb
Ultra Champion

As Ayn says, you're complicating it too much. If you only want to find out how many failed login attempts have been made towards this particular host in each 15 minute period, the following should work.

source = "WinEventLog:Security"  EventCode="529" Source_Network_Address=10.110.12.143 | bucket _time span=15m | stats count(Source_Network_Address) as y by _time

UPDATE:

Would this be what you want?

source = "WinEventLog:Security"  EventCode="529"  | bucket _time span=15m | stats count values(User_Name) as y by _time Source_Network_Address

/Kristian

sg5258
Explorer

great!!!
thanks for the update.. it worked now!

0 Karma

kristian_kolb
Ultra Champion

see update above. /k

0 Karma

sg5258
Explorer

hi,
Thanks for the suggestion..
I got your point.
However, the sample i offer is because i only test on my computer hence the network address is the same..
i require to detect ANY OF network_address, it is not particular 1 address.
But, anyway still thank you for your point.

0 Karma

Ayn
Legend

If you don't want it to split by username, then why are you splitting by username?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...