Solved: how to search same event occur four times in five ...

lllidan · ‎05-15-2018

i got a mission from my manager, search the the same account login failure event occur four times in per five minutes , could you please help me or give me some suggestion ? thanks a lot, from a beginner.

FrankVl · ‎05-15-2018

To analyse this with a sliding 5 minute window (rather than simply using a timechart, or manually grouping events into 5 minute bins), you can use something like the following (adjust it to your situation):

...<your base search here>...
| streamstats count time_window=5m by user
| where count >=4

View solution in original post

FrankVl · ‎05-15-2018

To analyse this with a sliding 5 minute window (rather than simply using a timechart, or manually grouping events into 5 minute bins), you can use something like the following (adjust it to your situation):

...<your base search here>...
| streamstats count time_window=5m by user
| where count >=4

niketn · ‎05-16-2018

@FrankVl, I think count=4 will give all the users with 4 or more login failed in 5 minute window and that should be the where condition i.e.

| where count=4

The count>=4 will not add any value since failed attempt 1,2 and 3 will be removed.

For details | streamstats count time_window=5m by user can be used as it is possibly add a | eval Threshold=4 to see at what point of time did the failed login attempt cross 4 or more.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

FrankVl · ‎05-17-2018

Yeah, that makes sense. doing >=4 just gives a lot of extra records for users that failed more than 4 times. Filtering for just the =4 shows the event that caused it to meet the threshold.

niketn · ‎05-15-2018

@lllidan you would need to add more details around the data and fields for us to assist you better. Mask/Anonymize any sensitive information before posting.

Assuming account field is AccountName

<yourBaseSearchForLoginFailure> AccountName=*
| bin _time span=5m
| stats count as LoginFailure by _time AccountName
| where LoginFailure>=4

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

lllidan · ‎05-15-2018

thanks for your help, and below is my base search:

EventCode=4625 Keyword=Logon_Failed

and i wanna to display the Account_Name or Hostname on the column via timechart or Dashboard.

otherwise, " 4 attempts in 5 minutes" means after the first attempt , in 5 minutes occur other 3 times attempts , how can i define the 5 minutes time period after the first attempt ?

do you have some good suggestion ?
thanks in advance.

niketn · ‎05-16-2018

@FrankVl 's suggestion should do it! Try out and accept his answer if it works for you!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

mayurr98 · ‎05-15-2018

you can try something like this

index=<your_index> "login failure" 
| timechart span=5m count 
| where count=4

You can change the condition count=4 according to your requirement.

let me know if this helps!

FrankVl · ‎05-15-2018

Note that this would miss cases where the 4 attempts are spread across two 5 minute windows. But it is a simple way to start.

lllidan · ‎05-15-2018

thanks for your help, and below is my base search:

EventCode=4625 Keyword=Logon_Failed

and i wanna to display the Account_Name or Hostname on the column via timechart or Dashboard.

otherwise, " 4 attempts in 5 minutes" means after the first attempt , in 5 minutes occur other 3 times attempts , how can i define the 5 minutes time period after the first attempt ?

do you have some good suggestion ?
thanks in advance.

mayurr98 · ‎05-15-2018

index=<your_index> EventCode=4625 Keyword=Logon_Failed | timechart span=5m count by account_name where count>=4

how to search same event occur four times in five minutes

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life