Hello All,
Sorry relativly new to splunk - and so this query may be a pile of garbage! To sumerise, i have a query here which is looking for brute force attacks against my website. The criteria is 5> Unique failed attempted Users, with 1+ Successful usernames over a given time period. I would like to display as part of this query, the time at which that successful connection occurred.
..... | dedup _raw,_time,source,host | dedup USERNAME,IPADDRESS | eval SuccessUSERNAME= if((MESSAGE="login"),USERNAME,"") | eval FailedUSERNAME= if((MESSAGE="FAILED"),USERNAME,"")
|stats count(eval(MESSAGE="FAILED")) as FailedLogon, count(eval(MESSAGE="login")) as SuccessfulLogon, values(SuccessUSERNAME), by IPADDRESS | search FailedLogon>5 SuccessfulLogon>=1
Tried numerous things; suspect that a nested query would be required, but as my knowledge of splunk is very limited, and any help would be much appreciated!
... View more