Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit my eventstats search to return a c...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my eventstats search to return a count of failed authentications greater than ten within a ten minute window?
jph11
New Member
10-17-2016
01:18 PM
Been working on a report to show the best data on authentications failed more than ten times in a time span of 10 mins.
Am I headed the right direction? I'm just questioning my count in the table whether or not it is correct:
index=wineventlog action=failure user!=*$ signature!="Kerberos pre-authentication failed" signature!="A Kerberos authentication ticket (TGT) was requested" | eventstats count(user) as failure_count by src_ip | bucket _time span=10m | where failure_count>10 | dedup src_ip |table user user_first user_last signature, src_ip, failure_count | rename user as User, user_first as "First Name" , user_last as "Last Name" , signature as "Failure Reason" , src_ip as "Source IP" , failure_count as Count
Appreciate any and all help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
10-17-2016
01:25 PM
Move the bucket to before the eventstas and group eventstats by _time as well. Like this
index=wineventlog action=failure user!=*$ signature!="Kerberos pre-authentication failed" signature!="A Kerberos authentication ticket (TGT) was requested" | bucket _time span=10m | eventstats count(user) as failure_count by _time src_ip | where failure_count>10 | dedup src_ip | table user user_first user_last signature, src_ip, failure_count | rename user as User, user_first as "First Name" , user_last as "Last Name" , signature as "Failure Reason" , src_ip as "Source IP" , failure_count as Count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jph11
New Member
10-17-2016
02:04 PM
I think this is close, but comparing my numbers in the count field to raw events it seems way off.
I had been using just stats but needed more info in the table. Heres the stats command I was using that i felt was accurate
Thoughts?
index=wineventlog OR index=cisco_auth action=failure user!=*$ signature!="Kerberos pre-authentication failed" signature!="A Kerberos authentication ticket (TGT) was requested" | stats count by user,signature,src_ip| where count > 10 | bucket _time span=10m |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
10-17-2016
03:33 PM
Here the difference between the two searches..
In the search I provided, the count is grouped by _time (10m increment) and src_ip
and in your search the count is grouped by user, signature and src_ip (more group by fields and no time field)
To check the count, try this search
index=wineventlog action=failure user!=*$ signature!="Kerberos pre-authentication failed" signature!="A Kerberos authentication ticket (TGT) was requested" | timechart span=10m count as failure_count by src_ip
Get Updates on the Splunk Community!
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
Tuesday, May 14, 2024 | 11AM PT / 2PM ET
Register to Attend
Join us for this Tech Talk and learn how to ...
.conf24 | Personalize your .conf experience with Learning Paths!
Personalize your .conf24 Experience
Learning paths allow you to level up your skill sets and dive deeper ...
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...
