Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I aggregate individual searches into a single search?

jasperlee27
New Member
‎12-13-2016 11:22 PM

Hi.

My organization is looking at identifying individual users (UserID) who have failed authentication(logon) >5 times per day for >3 consecutive days straight.

I am able to get the individual days failed logins for a particular user, but how do I aggregate them in one search to create an alert?

I am currently using this search for a particular day.

index="myindex" | lookup agentlookup agent_ID as Agent | search Application=*  Reponse= Reject |stats count by UserID | where count > 5

How do I extrapolate it to find 3 consecutive days straight?

I have also tried to use

index="myindex"| lookup agentlookup agent_ID as Agent | search Application=* Response= Reject | stats count by UserID | where count > 3 | span=1d count by UserID

to no avail. Have tried reading the documentation, but do not get it.
Thanks in advance for the help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-14-2016 11:25 AM

Give this a try. Remove lookup (field agent was not used) and move search filters in base search. This will list all the UserID for the day where there where more than 5 login failures.

index="myindex" Application=* Response=Reject | bucket _time span=1d 
| stats count by UserID _time | eval flag=if(count>5,1,0) 
| streamstats window=3 sum(flag) as flag by UserID | where flag=3

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-14-2016 11:25 AM

Give this a try. Remove lookup (field agent was not used) and move search filters in base search. This will list all the UserID for the day where there where more than 5 login failures.

index="myindex" Application=* Response=Reject | bucket _time span=1d 
| stats count by UserID _time | eval flag=if(count>5,1,0) 
| streamstats window=3 sum(flag) as flag by UserID | where flag=3
0 Karma
Reply
Solved! Jump to solution

jasperlee27
New Member
‎12-15-2016 01:47 AM

Thank you. This worked perfectly! Also, is it possible to display more fields beside the data? (e.g Department, Head-of-Department involved).

The fields are already defined, but In which part do I insert the fields into the search?

Thanks in advance

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎12-14-2016 05:05 AM 
index="myindex" | lookup agentlookup agent_ID as Agent | search Application=* Reponse= Reject|bucket _time span=1d |stats count by UserID _time|where count>5|bucket _time span=3d|stats count as aggCount by UserID _time|where aggCount>3

try something like this.

0 Karma
Reply
Solved! Jump to solution

jasperlee27
New Member
‎12-15-2016 01:45 AM

Thank you! This works but it does not capture repeated occurences

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...