Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I make a Splunk query that generates stats grouped by account name?

bm1391
New Member
‎12-17-2018 10:07 AM

Here is my current query:

index=wineventlog sourcetype=WinEventLog:Security EventCode=4625 | rex ".*Account\sName:\s+(?<account>\S+)" | eval Date=strftime(_time, "%Y/%m/%d")|stats count by Date,account,host|eventstats median(count) as median, p30(count) as p30,  p70(count) as p70,mean(count) as mean  | eval iqr=p70-p30 | eval xplier=2 | eval low_lim=median-(iqr*xplier) | eval high_lim=median + (iqr*xplier) | eval anamoly = if(count<low_lim OR count>high_lim, count,0)

I am trying to get all failed logons grouped by account name on a daily basis, and generate statistics so that future behavior can be identified as anomalous. This query "works", but this part of the query... 

|eventstats median(count) as median, p30(count) as p30,  p70(count) as p70,mean(count) as mean  | eval iqr=p70-p30 | eval xplier=2 | eval low_lim=median-(iqr*xplier) | eval high_lim=median + (iqr*xplier) | eval anamoly = if(count<low_lim OR count>high_lim, count,0)

...generates the stats on all the accounts and not only on the specific account.

Early on in the query, I group it by account name, Date and host, but after eventstats, it generates statistics on all the accounts as if they are the same. I think this is very easy to fix but I can't seem to figure it out.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kmaron
Motivator
‎12-17-2018 11:48 AM

you should just be able to add by account at the end of your eventstats

index=wineventlog sourcetype=WinEventLog:Security EventCode=4625 
| rex ".*Account\sName:\s+(?<account>\S+)" 
| eval Date=strftime(_time, "%Y/%m/%d") 
| stats count by Date,account,host 
| eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean by account 
| eval iqr=p70-p30 
| eval xplier=2 
| eval low_lim=median-(iqr*xplier) 
| eval high_lim=median + (iqr*xplier) 
| eval anamoly = if(count<low_lim OR count>high_lim, count,0)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kmaron
Motivator
‎12-17-2018 11:48 AM

you should just be able to add by account at the end of your eventstats

index=wineventlog sourcetype=WinEventLog:Security EventCode=4625 
| rex ".*Account\sName:\s+(?<account>\S+)" 
| eval Date=strftime(_time, "%Y/%m/%d") 
| stats count by Date,account,host 
| eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean by account 
| eval iqr=p70-p30 
| eval xplier=2 
| eval low_lim=median-(iqr*xplier) 
| eval high_lim=median + (iqr*xplier) 
| eval anamoly = if(count<low_lim OR count>high_lim, count,0)
0 Karma
Reply
Solved! Jump to solution

bm1391
New Member
‎12-17-2018 12:25 PM

Yup that worked! Thanks

0 Karma
Reply
Solved! Jump to solution

bm1391
New Member
‎12-17-2018 10:23 AM

Switch the query to:

index=wineventlog sourcetype=WinEventLog:Security EventCode=4625 | rex ".*Account\sName:\s+(?\S+)" | eval Date=strftime(_time, "%Y/%m/%d")|stats count by Date,account,host|eventstats median(count) as median, p30(count) as p30,  p70(count) as p70,mean(count) as mean **by account**  | eval iqr=p70-p30 | eval xplier=2 | eval low_lim=median-(iqr*xplier) | eval high_lim=median + (iqr*xplier) | eval anamoly = if(counthigh_lim, count,0)

and It works...

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...