Hello,
I have a search that covers 7 days of data showing when users failed to login 5 or more times but I want to know if it is possible break the search down so it only shows 5 or more logins in a 24 hour period.
So the search wont return a user who had 2 failed logins on monday and 3 on friday but will show if the user had 5 failed logins on Tuesday.
Thanks,
Yes the bit I am stuck on now is per day sorry still new to Splunk and keep getting stuck.
So I have this search
source="secure" sshd "pam_ldap: error trying to bind as user"|top uid limit=500 | where count >= 5
yannk I am not sure how I incorporate what you have described above?
Maybe the new thing is "per day", to achieve that you should use a bucketing per day of the _time field.
mysearch | bin _time span=1d | stats count(whaterveryouuseforfailure) AS daily_failure_count by whateveryouuseforuser _time | where daily_failure_count >5 | table _time whateveryouuseforuser daily_failure_count
Rob - didn't you ask this, and receive an answer before? See http://splunk-base.splunk.com/answers/66972/5-and-above-login-failures
If you just want to parameterise that to within "authentication" AND "access" AND "failure" | dedup _time, user | table Workstation_Name, Failure_Reason, Logon_Type, user
ad optionally add a WHERE count etc...
Br
Dave