Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to run stats for just user and return values for other fields?

jwalzerpitt
Influencer
‎10-22-2019 09:27 AM

I have the following search looking for > three login attempts with > 0 successes and two or > failures by user, src, Country, Region, and City which limits me to searching for all five fields. 

index="foo" sourcetype="foo:bar" tag=authentication "Primary authentication" 
| dedup _time 
| iplocation src 
| stats count(action) as Attempts, count(eval(match(action,"failure"))) as Failed,
    count(eval(match(action,"success"))) as Success
    earliest(_time) as FirstAttempt latest(_time) as LatestAttempt by user src Country Region City  
| where Attempts>=3 AND Success>0 AND Failed>=2  
| eval FirstAttempt=strftime(FirstAttempt,"%x %X") 
| eval LatestAttempt=strftime(LatestAttempt,"%x %X")

How would I modify this search to include the values from the src, Country, Region, and City fields but be based on just the user so that I would see events in which a user tried to login from New York and Panama, and China, etc.?

Thx

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-25-2019 04:28 PM

Like this (including other optimizations)

index="foo" sourcetype="foo:bar" tag=authentication "Primary authentication" 
| stats count(action) AS Attempts, count(eval(action="failure")) AS Failed,
            min(_time) AS FirstAttempt max(_time) AS LatestAttempt BY user src
| eval Success = Attempts - Failed
| iplocation src 
| rename COMMENT AS "This creates: Country Region City"
| where Attempts>=3 AND Success>0 AND Failed>=2  
| eval FirstAttempt=strftime(FirstAttempt,"%x %X") 
| eval LatestAttempt=strftime(LatestAttempt,"%x %X")
| sort 0 - Attempts
| stats list(*) AS * BY src

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-25-2019 04:28 PM

Like this (including other optimizations)

index="foo" sourcetype="foo:bar" tag=authentication "Primary authentication" 
| stats count(action) AS Attempts, count(eval(action="failure")) AS Failed,
            min(_time) AS FirstAttempt max(_time) AS LatestAttempt BY user src
| eval Success = Attempts - Failed
| iplocation src 
| rename COMMENT AS "This creates: Country Region City"
| where Attempts>=3 AND Success>0 AND Failed>=2  
| eval FirstAttempt=strftime(FirstAttempt,"%x %X") 
| eval LatestAttempt=strftime(LatestAttempt,"%x %X")
| sort 0 - Attempts
| stats list(*) AS * BY src
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎10-28-2019 05:27 AM

TYVM - worked perfectly

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-23-2019 12:30 AM

Hi jwalzerpitt,
did you tried to ad the values(City) AS City etc... options to the stats command?

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎10-22-2019 09:58 AM

One other thing I noticed about this search if I just run the following over the past 24 hours limiting to 'by user' is the inconsistency of the search in that I get zero events and then re-run it a few times and I get one user listed and then re-run a few more times and get a different user, but usually zero events are returned and I can't figure out why both users don't show up every times I run the search as they fall within the 24 hour time period. If I filter for each user I get results for each one, but this search is general never returns the same correct results

 index="foo" sourcetype="foo:bar" tag=authentication "Primary authentication" 
 | dedup _time 
 | iplocation src 
 | stats count(action) as Attempts, count(eval(match(action,"failure"))) as Failed,
     count(eval(match(action,"success"))) as Success
     earliest(_time) as FirstAttempt latest(_time) as LatestAttempt by user
 | where Attempts>=3 AND Success>0 AND Failed>=2  
 | eval FirstAttempt=strftime(FirstAttempt,"%x %X") 
 | eval LatestAttempt=strftime(LatestAttempt,"%x %X")
0 Karma
Reply
Solved! Jump to solution

sandeepmakkena
Contributor
‎10-22-2019 11:26 AM

Did you try using chart 

| chart count(action) as Attempts, count(eval(match(action,"failure"))) as Failed,
      count(eval(match(action,"success"))) as Success
      earliest(_time) as FirstAttempt latest(_time) as LatestAttempt by user Country
0 Karma
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎10-22-2019 11:34 AM

I modified the search as follows, using chart and putting where at the bottom, and know everytime I runt he search I no longer get zero results, but it bounces randomly between the two users, but never listing them together

| dedup _time 
| iplocation src 
| chart count(action) as Attempts, count(eval(match(action,"failure"))) as Failed,
       count(eval(match(action,"success"))) as Success
       earliest(_time) as FirstAttempt latest(_time) as LatestAttempt by user 
| eval FirstAttempt=strftime(FirstAttempt,"%x %X") 
| eval LatestAttempt=strftime(LatestAttempt,"%x %X")
| where Attempts>=3 AND Success>0 AND Failed>=2
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...