Hello, I've have an alert that returns by email suspicious login attempts in the form of a table with client_ip, number of different logins used, list of logins used, continent and country. Basically, the table is created by this search (time window 60 minutes): index=webauth sourcetype=cas login!="audit:unknown" | eval login=lower(login)
| stats dc(login) AS number, values(login) AS "logins list" by client_ip| iplocation allfields=true client_ip
| fields - City,MetroCode,Region,lat,lon,Timezone
| search number>1 Sample result: client_ip number logins list Continent Country 192.168.0.6 3 foo bar baz Somewhere Here We have many false positive alert because some users make typos when they try to log in. I would like to clean up this table from any login that is not very different from the first one. If a result line lists those logins: myself, myselv, then the Levenshtein distance would be 1, then I would like to ditch the line (ie. number would fall from 2 to 1, and result would be excluded). If a result line lists: myself, myselv, yourself, then the second login would be excluded, but the result should be kept in the final table because yourself is very different from myself. I hope it makes sense. I've studied the solution https://community.splunk.com/t5/Splunk-Search/Is-there-any-way-to-compare-multivalue-fields-to-single-value/td-p/317189 for hours, but my result is so ugly that I can't believe it's the only solution: index=webauth sourcetype=cas login!="audit:unknown"
| eval login=lower(login)
| fields client_ip,login
| dedup client_ip,login
| mvcombine login
| eval n=mvcount(login), llogs=mvdedup(login)
| search n>1
| iplocation allfields=true client_ip
| fields - City,MetroCode,Region,lat,lon,Timezone,_raw,_time
| mvexpand login
| table *
| map maxsearches=100 search="
| makeresults
| eval login=\"$login$\", llogs=\"$llogs$\", number=\"$n$\" , Continent=\"$Continent$\" , Country=\"$Country$\" , client_ip=\"$client_ip$\"
|makemv delim=\"
\" llogs
| mvexpand llogs
|table *"
| `ut_levenshtein(login,llogs)`
| search ut_levenshtein>3
| fields - _time, llogs
| mvcombine login
| eval logins=mvdedup(login)
| eval number=mvcount(logins)
| fields - login
| dedup client_ip,logins
| table client_ip,number,logins,Continent,Country,ut_levenshtein Any idea to design something better? Thanks
... View more