Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I make a Splunk query that generates stats ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bm1391
New Member
12-17-2018
10:07 AM
Here is my current query:
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625 | rex ".*Account\sName:\s+(?<account>\S+)" | eval Date=strftime(_time, "%Y/%m/%d")|stats count by Date,account,host|eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean | eval iqr=p70-p30 | eval xplier=2 | eval low_lim=median-(iqr*xplier) | eval high_lim=median + (iqr*xplier) | eval anamoly = if(count<low_lim OR count>high_lim, count,0)
I am trying to get all failed logons grouped by account name on a daily basis, and generate statistics so that future behavior can be identified as anomalous. This query "works", but this part of the query...
|eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean | eval iqr=p70-p30 | eval xplier=2 | eval low_lim=median-(iqr*xplier) | eval high_lim=median + (iqr*xplier) | eval anamoly = if(count<low_lim OR count>high_lim, count,0)
...generates the stats on all the accounts and not only on the specific account.
Early on in the query, I group it by account name, Date and host, but after eventstats, it generates statistics on all the accounts as if they are the same. I think this is very easy to fix but I can't seem to figure it out.
Thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron
Motivator
12-17-2018
11:48 AM
you should just be able to add by account at the end of your eventstats
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625
| rex ".*Account\sName:\s+(?<account>\S+)"
| eval Date=strftime(_time, "%Y/%m/%d")
| stats count by Date,account,host
| eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean by account
| eval iqr=p70-p30
| eval xplier=2
| eval low_lim=median-(iqr*xplier)
| eval high_lim=median + (iqr*xplier)
| eval anamoly = if(count<low_lim OR count>high_lim, count,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron
Motivator
12-17-2018
11:48 AM
you should just be able to add by account at the end of your eventstats
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625
| rex ".*Account\sName:\s+(?<account>\S+)"
| eval Date=strftime(_time, "%Y/%m/%d")
| stats count by Date,account,host
| eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean by account
| eval iqr=p70-p30
| eval xplier=2
| eval low_lim=median-(iqr*xplier)
| eval high_lim=median + (iqr*xplier)
| eval anamoly = if(count<low_lim OR count>high_lim, count,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bm1391
New Member
12-17-2018
12:25 PM
Yup that worked! Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bm1391
New Member
12-17-2018
10:23 AM
Switch the query to:
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625 | rex ".*Account\sName:\s+(?\S+)" | eval Date=strftime(_time, "%Y/%m/%d")|stats count by Date,account,host|eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean **by account** | eval iqr=p70-p30 | eval xplier=2 | eval low_lim=median-(iqr*xplier) | eval high_lim=median + (iqr*xplier) | eval anamoly = if(counthigh_lim, count,0)
and It works...
Get Updates on the Splunk Community!
Announcing Scheduled Export GA for Dashboard Studio
We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
