Solved: How to search for the count of failed logins in a ...

ThomasLeroy · ‎12-17-2014

Hello,

I'm trying to count the number of failed logins in a 10 min span. Here is my search:

host=.." AND gateway_username != "''" | transaction fields="src_ip,gateway_username" startswith="'ZV_REJECT'" endswith="'ZV_ACCEPT'" manspan=10m

How can I search for a log with 9 rejects or more and an accept at the end ?

Best regards
Thomas

somesoni2 · ‎12-17-2014

How about this? Assuming there is a field called "Status" which will have values like ZV_REJECT AND ZV_ACCEPT.

host=.." AND gateway_username != "''" | transaction fields="src_ip,gateway_username" startswith="'ZV_REJECT'" endswith="'ZV_ACCEPT'" maxspan=10m | where eventcount>9 AND mvcount(Status)=2

View solution in original post

somesoni2 · ‎12-17-2014

How about this? Assuming there is a field called "Status" which will have values like ZV_REJECT AND ZV_ACCEPT.

host=.." AND gateway_username != "''" | transaction fields="src_ip,gateway_username" startswith="'ZV_REJECT'" endswith="'ZV_ACCEPT'" maxspan=10m | where eventcount>9 AND mvcount(Status)=2

ThomasLeroy · ‎12-18-2014

That's exactly what i want. Thank you 🙂

How to search for the count of failed logins in a 10 minute span where a log has 9 or more rejects and an accept at the end?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio