Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I search for two same events with 2 minutes between them?

Silverfeyn
Explorer
‎05-20-2013 02:52 AM

Hi, I need to search 2 failed and identical loggin attemps with 2 minutes between each other to know if someone is trying to guess the pass of a domain account.

For example, I want to search for the Event 4776(failed loggin attempt) for the same account but only if is happening between for example 2 minutes.
How can I search this?

Thanks in advance

Tags (4)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-20-2013 05:49 AM

You can extract that field in the search like this:

... | rex "Nombre de cuenta:\s*(?<account>\w+)" | transaction ...

To make the extraction stick you can put the regular expression into a field extraction through the manager.

0 Karma
Reply

Silverfeyn
Explorer
‎05-20-2013 04:05 AM

Ok, I have been looking and the correct code is ;
EventCode=4625
The Account field doesn't exist, there is a subfield that tracks the username that I want to look for, this is a example of the log;
alt text

The yellow part would be the "Account" but I don't know how to track it, and if I use
"EventCode=4625 | transaction ComputerName maxspan=2m | search eventcount>1" trying to track the ComputerName field, It shows all the events, not only events happened in the last 2 minutes.

0 Karma
Reply

Ayn
Legend
‎05-20-2013 03:23 AM

Assuming you have the fields "EventID" and "Account" (otherwise adjust accordingly):

... EventID=4776 | transaction Account maxspan=2m | search eventcount>1
Reply

Silverfeyn
Explorer
‎05-20-2013 04:07 AM

Ok, I have been looking and the correct code is ;
EventCode=4625
The Account field doesn't exist, there is a subfield that tracks the username that I want to look for, this is a example of the log;
alt text

The yellow part would be the "Account" but I don't know how to track it, and if I use
"EventCode=4625 | transaction ComputerName maxspan=2m | search eventcount>1" trying to track the ComputerName field, It shows all the events, not only events happened in the last 2 minutes.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-20-2013 03:20 AM

There are several ways, for example:

search for event 4776 | transaction account maxpause=120s

This will group together events for the same user as long as they are no more than two minutes apart. Any result with eventcount>1 is what you're looking for.

Alternatively, you can roll your own pseudo-transactions like this:

search for event 4776 | streamstats current=f window=1 global=f last(_time) as last_time by user | where abs(last_time-_time)<=120

That should run much faster than the transaction, but yields a slightly different result - what's better in your case depends on your environment.

Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...