Reputation: 35
Splunk query for rarity without AI
I need to find a rare user account logons happened in last 7 days on a distinct host.
For example, there are 10 servers in the monitoring, I need to find the user account who never did login before in 7 days but suddenly getting a login from it on any specific host among 10.
Is it possible to make without ML?
index = "main" and EventCode = 4624 | stats count by host,user | rare limit=1 account dc(hostname)
Something similar to that.
I tried several queries like using cluster and rare multiple hit and trial. But not getting expected results.
Upvotes: 0
Views: 84
Answers (1)
Reputation: 33453
I would try something like this:
index=ndx sourcetype=srctp user=* [| inputlookup my_list_of_10_hosts.csv ] earliest=0
| fields _time user host
| stats min(_time) as early max(_time) as recent by user host
| eval early_diff=now()-early
| where early_diff<604800
| eval early=strftime(early,"%c"), recent=strftime(recent,"%c")
This will go back through all your data (hence the earliest=0), and find all the user/host combos, noting the earliest and most-recent logins
Then calculate the difference in the early time from now(), making sure the first time you saw this combo was less than a week ago
Upvotes: 1
Related Questions
- Splunk query for Forwarder Management
- Splunk Query to find greater than
- Splunk search query syntax?
- Searching for specific values in Splunk query
- How to Build Splunk Search Query for below Scenario
- splunk query to concatenate status code for every hour
- Splunk query for matching lines that do not contain text
- Stats Count Splunk Query
- Splunk query substract time