Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my timechart search that shows the number of successful/failed logins over time, with a distinct count by user?

WhatTheSplunk
Engager
‎02-07-2017 02:27 PM

I am trying to find the number of successful/failed logins to my machine over time with a distinct count by user. This is the current search so far but I am unable to display a visualization for the below search:

source="/var/log/auth.log" 
| search "Failed Password" OR "Accepted Password" 
| table time srcHost dstHost user cmd process 
| timechart span=1h dc(user) by srcHost

I am currently returning four events but nothing is being displayed under the visualization tab. Any help would be appreciated.

Update 06Feb17:
I did not realize you needed to use the builtin _time field rather than one that I had parsed out of the log and named time. I have updated the query to represent as much:

source="/var/log/auth.log" 
| search "Failed Password" OR "Accepted Password" 
| eval type=if(searchmatch("Failed password"),"Fail","Success")
| table _time srcHost dstHost user cmd process type
| timechart span=1h count(type) by srcHost

Additionally, I added the new field type to highlight whether or not the entry is a failed login or a success. The visualization appears however the count(type) does not separate b/w the different values in type by srcHost. In other words within an hour span I want a column for each host with different colors representing success or failure rather than representing them all as one color.

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-07-2017 02:46 PM

The table command should be | table _time date srcHost dstHost user cmd process (_time). Is that a typo in the question?

View solution in original post

Reply
Solved! Jump to solution

jackjack
Path Finder
‎09-07-2021 04:11 PM

Did you ever solve the second piece of your question?

"Additionally, I added the new field type to highlight whether or not the entry is a failed login or a success. The visualization appears however the count(type) does not separate b/w the different values in type by srcHost. In other words within an hour span I want a column for each host with different colors representing success or failure rather than representing them all as one color."

I am trying to figure this out now.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-07-2017 02:46 PM

The table command should be | table _time date srcHost dstHost user cmd process (_time). Is that a typo in the question?

Reply
Solved! Jump to solution

WhatTheSplunk
Engager
‎02-08-2017 12:44 PM

You were correct that was wrong... Working on Visualization now.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...