Skip to content

Instantly share code, notes, and snippets.

@tfhartmann

tfhartmann/splunktalk_sasl_logins.md

Created September 25, 2013 14:30
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tfhartmann/6700473 to your computer and use it in GitHub Desktop.
Save tfhartmann/6700473 to your computer and use it in GitHub Desktop.
Download ZIP
Searches from Splunk Talk
Raw
splunktalk_sasl_logins.md

Search string used to identify a user who has logged in an excessive amount of times outside of the standard deviation

index=os ( sourcetype=syslog OR sourcetype=postfix_syslog) sasl_method="LOGIN" | stats count(sasl_username) as usercount by sasl_username, _time | sort - usercount | eventstats avg(usercount) as avg_usercount stdev(usercount) as std_usercount |convert ctime(_time) | stats sum(usercount) as usercount by sasl_username, avg_usercount, std_usercount | where usercount>(900*avg_usercount + std_usercount)| rename avg_usercount as "Avg Count of Logins for all Users", std_usercount as "Standard Deviation of Logins for all Users", usercount as "Count of Logins"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment