Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a search to make a table of count of failed logins by user with fields in other columns?

supreetsingh75
New Member
‎01-24-2018 07:56 AM

A table with the count of failed login by a user for a day over the period of 7 days with the columns date, sourceip, destination ip, user and count. for eg.

date sourceip destinationip user count
Jan-18-2018 10.12.13.14 10.12.2.3 rolland 5
Jan-19-2018 10.12.13.14 10.12.2.3 rolland 12

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎01-24-2018 01:50 PM

Make sure that the time field is extracted, then you can use a bucket _time and sum up the count per user.

  index=myindex source=mytable | bucket _time span=24h | stats sum(count) by _time user

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎01-24-2018 01:50 PM

Make sure that the time field is extracted, then you can use a bucket _time and sum up the count per user.

  index=myindex source=mytable | bucket _time span=24h | stats sum(count) by _time user
0 Karma
Reply
Solved! Jump to solution

supreetsingh75
New Member
‎01-29-2018 07:36 AM

Bucket_time did the trick. Thank you so much!

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎01-24-2018 09:40 AM

From what data or table you want to create search to get count of failed logins ?

0 Karma
Reply
Solved! Jump to solution

supreetsingh75
New Member
‎01-24-2018 12:07 PM

It's a custom index that logs failed logins as actions.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-24-2018 12:28 PM

Does all events have all the fields that you want to show? If yes, you can do something like this

your base search
| eval date =strftime(_time,"%b-%d-%Y")
| stats count by date sourceip destinationip user
0 Karma
Reply
Solved! Jump to solution

supreetsingh75
New Member
‎01-24-2018 01:11 PM

this is great but I need this query to produce a report that shows a count of user login failure for 24 hours over a period of 7 days. See my output

date sourceip destinationip user count
Jan-18-2018 10.12.13.14 10.12.2.3 rolland 5
Jan-19-2018 10.12.13.14 10.12.2.3 rolland 12

Your query does not show me the same output

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎01-24-2018 01:32 PM

@supreetsingh75, what is the event logged during a failed login (request/response)? Please mock/anonymize any sensitive data before posting the events.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...