Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Counting & Grouping Field Values

MikeElliott
Communicator
‎07-21-2017 01:49 AM

Hi All,

I am currently attempting to write a Splunk search that will count the amount of failed authentications for a multiple user accounts, grouped by Source IP. I have provided my current (basic) search string below and have attached an image of sanitised search results, detailing current output vs the output I would like to achieve.

I have attempted various different combinations of stats count() and stats values(), but just cannot seem to get it right.

Any assistance would be greatly appreciated.

index=Windows sourcetype=WinEventLog:Security EventCode=4625
| eval Account_Name=mvindex(Account_Name, 1)
| stats count(EventCode) as Authentication_Failures by Account_Name, Source_Network_Address

Uploaded Image

Tags (1)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-22-2017 07:07 PM

Just add this to the bottom of your existing search:

| stats values(*) AS * BY Account_Name

OR

| stats sum(Authentication_Failures) AS Authentication_Failures list(Source_Network_Address) AS Source_Network_Address BY Account_Name

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-22-2017 07:07 PM

Just add this to the bottom of your existing search:

| stats values(*) AS * BY Account_Name

OR

| stats sum(Authentication_Failures) AS Authentication_Failures list(Source_Network_Address) AS Source_Network_Address BY Account_Name
0 Karma
Reply
Solved! Jump to solution

MikeElliott
Communicator
‎07-24-2017 12:11 AM

Much appreciated @woodcock! Thank you for taking the time to help me out 🙂

0 Karma
Reply
Solved! Jump to solution

Grumpalot
Communicator
‎07-21-2017 05:34 AM

@MikeElliott try something like this

 index=Windows sourcetype=WinEventLog:Security EventCode=4625
 | eval Account_Name=mvindex(Account_Name, 1)
 | stats list(EventCode) as Authentication_Failures list(Source_Network_Address) as Source_Network_Address by Account_Name
Reply
Solved! Jump to solution

Grumpalot
Communicator
‎07-21-2017 05:39 AM

I was using a csv with the generated data so you can sum Authentication_Failures if your totaling the actual times failed login also

index=Windows sourcetype=WinEventLog:Security EventCode=4625
| eval Account_Name=mvindex(Account_Name, 1)
| stats sum(EventCode) as Authentication_Failures list(Source_Network_Address) as Source_Network_Address by Account_Name
0 Karma
Reply
Solved! Jump to solution

MikeElliott
Communicator
‎07-21-2017 06:44 AM

A superb solution, my thanks @Grumpalot.

I have made a few modifications to the search string - Mainly just to adjust the end output. I was wondering if I could be so bold as to ask for help with one last thing?

How would I modify the below search string to only provide results where Source_Network_Address field has >= 2 Values? I have attempted to use a where statement, as well as a separate count() | where statement and can't seem to get it to work.

index=Windows sourcetype=WinEventLog:Security EventCode=4625 earliest=-25h@h latest=-1h@h 
| eval Account_Name=mvindex(Account_Name, 1) 
| search Source_Network_Address!="-" 
| stats count(EventCode) as Authentication_Failures values(Source_Network_Address) as Source_Network_Address by Account_Name 
| where Authentication_Failures > 10 
| sort -Authentication_Failures
0 Karma
Reply
Solved! Jump to solution

Grumpalot
Communicator
‎07-21-2017 07:35 AM

Go ahead and change your where to search

index=Windows sourcetype=WinEventLog:Security EventCode=4625 earliest=-25h@h latest=-1h@h 
| eval Account_Name=mvindex(Account_Name, 1) 
| search Source_Network_Address!="-" 
| stats count(EventCode) as Authentication_Failures values(Source_Network_Address) as Source_Network_Address by Account_Name 
| search Authentication_Failures > 10 
| sort -Authentication_Failures
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...