Solved: Re: How would i combine the two outputs?

TwistTheNeil · ‎11-20-2013

I'm trying to use the stats function to list out values in a field

In the 1st image, I have the following search:
type=USER_AUTH res=failed | dedup _raw | stats count as "Failed attempts", values(dest) as "Failed on servers" by acct
http : //postimg . org/ image/ 714eq18rn/

How would i get the number of times the user failed to login to each server along with the server name?
For example, i click on the 1st user and the field shows me this
http : //postimg .org/ image/ cx4yifa8h/
(The values are actually server names)

I would like to have an output like this
acct Failed attempts Failed on servers
1 acct1 15 server1 (5)
server2 (5)
server3 (2)

and so on.

Does anyone know how i would get this?

somesoni2 · ‎11-20-2013

Try following

type=USER_AUTH res=failed | dedup _raw | stats count  by acct, dest | eval dest=dest." (".count.") | stats sum(count) as "Failed attempts", values(dest) as "Failed on servers" by acct

View solution in original post

TwistTheNeil · ‎11-20-2013

Yup, it's been resolved. Thank you though!

lukejadamec · ‎11-20-2013

Failed attempts for acct1 should be 12, right?

somesoni2 · ‎11-20-2013

Try following

type=USER_AUTH res=failed | dedup _raw | stats count  by acct, dest | eval dest=dest." (".count.") | stats sum(count) as "Failed attempts", values(dest) as "Failed on servers" by acct

somesoni2 · ‎11-20-2013

Glad I could help.

TwistTheNeil · ‎11-20-2013

Wow, thank you!

How would i combine the two outputs?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases