Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my timechart search that shows the number of successful/failed logins over time, with a distinct count by user?

WhatTheSplunk
Engager
‎02-07-2017 02:27 PM

I am trying to find the number of successful/failed logins to my machine over time with a distinct count by user. This is the current search so far but I am unable to display a visualization for the below search:

source="/var/log/auth.log" 
| search "Failed Password" OR "Accepted Password" 
| table time srcHost dstHost user cmd process 
| timechart span=1h dc(user) by srcHost

I am currently returning four events but nothing is being displayed under the visualization tab. Any help would be appreciated.

Update 06Feb17:
I did not realize you needed to use the builtin _time field rather than one that I had parsed out of the log and named time. I have updated the query to represent as much:

source="/var/log/auth.log" 
| search "Failed Password" OR "Accepted Password" 
| eval type=if(searchmatch("Failed password"),"Fail","Success")
| table _time srcHost dstHost user cmd process type
| timechart span=1h count(type) by srcHost

Additionally, I added the new field type to highlight whether or not the entry is a failed login or a success. The visualization appears however the count(type) does not separate b/w the different values in type by srcHost. In other words within an hour span I want a column for each host with different colors representing success or failure rather than representing them all as one color.

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-07-2017 02:46 PM

The table command should be | table _time date srcHost dstHost user cmd process (_time). Is that a typo in the question?

View solution in original post

Reply
Solved! Jump to solution

jackjack
Path Finder
‎09-07-2021 04:11 PM

Did you ever solve the second piece of your question?

"Additionally, I added the new field type to highlight whether or not the entry is a failed login or a success. The visualization appears however the count(type) does not separate b/w the different values in type by srcHost. In other words within an hour span I want a column for each host with different colors representing success or failure rather than representing them all as one color."

I am trying to figure this out now.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-07-2017 02:46 PM

The table command should be | table _time date srcHost dstHost user cmd process (_time). Is that a typo in the question?

Reply
Solved! Jump to solution

WhatTheSplunk
Engager
‎02-08-2017 12:44 PM

You were correct that was wrong... Working on Visualization now.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...