Splunk Search

Total Results With All Fields Showing

johann2017
Explorer

I am trying to build an alert for when the total results for my search is greater than 9. I have it working, except that I want to add additional fields in the table. In the example below I am getting only the "Account_Name" and the "src_ip". When I add additional fields that I want it to show me in the columns then it messes up with the total results count. How can I get it to alert when the results total hit a certain threshold AND also have it show me the columns I want without altering any totals/

index=windows-logs (EventCode=4624 OR EventCode=4625) Account_Name=Administrator1OR Account_Name=Administrator2 OR Account_Name=Administrator3 NOT src_ip IN (10.10.200.22, 10.1.3.50, 10.1.0.179, 10.1.1.187, 10.10.162.60, 10.10.162.62, 10.10.162.63, 10.10.162.67, 10.10.162.68, 10.10.162.13, 10.10.162.14, 10.10.162.15, 10.1.0.85, 10.1.0.86) | stats count as Total by src_ip | table Account_Name, src_ip, Total | where Total > 9 | rename src_ip AS "Source IP Performing Remote Login Attempts" host AS Destination_Host

Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Stats will only preserve fields in the stats statement, so if you want to preserve host and Account_Name, then you might want to do

| stats values(Account_Name) as Account_Name values(host) as Destination_Host count as Total by src_ip 
| where Total > 9
| table Account_Name, src_ip, , Destination_HostTotal 
| rename src_ip AS "Source IP Performing Remote Login Attempts" 

However that may not be exactly what you are after in that there may be several account names and hosts all coming from the same IP address

0 Karma

johann2017
Explorer

Hello @bowesmana. I will re-phrase what I am trying to accomplish so it may be easier to understand. I want to build an alert for when the total amount of logins for a specific user (let's say administrator) within X amount of time (let's say 10 minutes) exceeds a certain threshold (let's say greater than 9 times). In the results I want to be able to see all fields for each event that I specify.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

@johann2017 so you want to count by account name, irrespective of the source/target host, so this should work

| eval Login=src_ip."-->".host
| stats values(Login) as Logins count as Total by Account_Name
| where Total > 9

This is then generating a new field with the source/target pair called 'Login' and then counting all pairs by the account name and filtering less=9.

Here's a full example

| makeresults 
| rename COMMENT as "Setting up data to show example" 
| eval f="Admin1,10.10.16.86,server1#Admin2,10.10.16.87,server2#Admin1,10.10.16.88,server3#Admin2,10.10.16.89,server4#Admin1,10.10.16.90,server5#Admin2,10.10.16.85,server6#Admin1,10.10.16.84,server7#Admin2,10.10.16.83,server8#Admin1,10.10.16.82,server9#Admin2,10.10.16.81,server10#Admin1,10.10.16.80,server11#Admin3,10.10.17.86,server12#Admin1,10.10.18.86,server13#Admin3,10.10.19.86,server14#Admin1,10.10.15.86,server15#Admin3,10.10.14.86,server16" 
| makemv delim="#" f 
| mvexpand f 
| rex field=f "(?<Account_Name>[^,]*),(?<src_ip>[^,]*),(?<host>.*)" 
| eval d=15 
| accum d 
| eval _time=_time+d 
| rename COMMENT as "This is what you should do" 
| eval Login=src_ip.":".host 
| stats values(Login) as Logins count as Total by Account_Name 
| where Total > 4

Note here I use (4) to demonstrate, but this will give you a row per user with the values as a multi value field. If you want a row per login then you will have to split back out the values, like

| mvexpand Logins
| eval tmp=split(Logins, ":")
| eval src_ip=mvindex(tmp,0,0)
| eval host=mvindex(tmp,1,1)
| fields Account_Name, src_ip, host, Total

Hope this helps

0 Karma

bowesmana
SplunkTrust
SplunkTrust

and if you want to get hold of all your other fields in the data, then you probably need to look at eventstats rather than stats. Stats will aggregate and remove the non aggregated data, whereas eventstats will perform the same aggregations as stats, but will add those aggregations back into the original event data, leaving all the original fields there to play with as you like.

0 Karma

arjunpkishore5
Motivator

Hi @johann2017

Is the query complete? After your stats command, you will only have 2 columns - Total and src_ip. So the table statement will not have an Account_name. Neither will you have host column which is used in the rename statement.

0 Karma

arjunpkishore5
Motivator

Once you paste the query, please highlight it and press the code sample button(The button with 1s and 0's) This will ensure that the formatting for the code is maintained.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...