https://community.splunk.com/t5/Security/LOGIN-SUCCESS-vs-LOGIN-FAILURE/m-p/132922#M4033 <P>Here is a scrubbed version. Log Source and Sourcetype are defined and working well. LOGIN FAILURE looks exactly like LOGIN SUCCESS and is just plain text and doesn't return as an interesting field. The IP is out there and I can get a count to return by IP... but then I also want to see if these attempts have a SUCCESS or FAILURE associated. </P> <P>&lt;13&gt;Nov 7 11:14:36 <EM>log source</EM> <A href="https://community.splunk.com/*sourcetype*">07-Nov-2013 11:14:36</A> - LOGIN SUCCESS|User Attempt|0|IP list|xxx.xxx.xxx.xxx</P> <P>Thank you</P> Thu, 07 Nov 2013 18:19:52 GMT MattQ 2013-11-07T18:19:52Z https://community.splunk.com/t5/Security/LOGIN-SUCCESS-vs-LOGIN-FAILURE/m-p/132920#M4031 <P>I have logs that return the basic text of "LOGIN SUCCESS" and "LOGIN FAILURE" but I don't seem to be able to make this a unique and interesting field. I want to be able to search logs and return a count by IP addresses of everything trying to log in and then sort those with counts by SUCCESS or FAILURE</P> <P>This seems incredibly simple but I am failing at it</P> Thu, 07 Nov 2013 16:53:35 GMT https://community.splunk.com/t5/Security/LOGIN-SUCCESS-vs-LOGIN-FAILURE/m-p/132920#M4031 MattQ 2013-11-07T16:53:35Z https://community.splunk.com/t5/Security/LOGIN-SUCCESS-vs-LOGIN-FAILURE/m-p/132921#M4032 <P>Would you please provide sample log entries?</P> Thu, 07 Nov 2013 18:04:42 GMT https://community.splunk.com/t5/Security/LOGIN-SUCCESS-vs-LOGIN-FAILURE/m-p/132921#M4032 richgalloway 2013-11-07T18:04:42Z https://community.splunk.com/t5/Security/LOGIN-SUCCESS-vs-LOGIN-FAILURE/m-p/132922#M4033 <P>Here is a scrubbed version. Log Source and Sourcetype are defined and working well. LOGIN FAILURE looks exactly like LOGIN SUCCESS and is just plain text and doesn't return as an interesting field. The IP is out there and I can get a count to return by IP... but then I also want to see if these attempts have a SUCCESS or FAILURE associated. </P> <P>&lt;13&gt;Nov 7 11:14:36 <EM>log source</EM> <A href="https://community.splunk.com/*sourcetype*">07-Nov-2013 11:14:36</A> - LOGIN SUCCESS|User Attempt|0|IP list|xxx.xxx.xxx.xxx</P> <P>Thank you</P> Thu, 07 Nov 2013 18:19:52 GMT https://community.splunk.com/t5/Security/LOGIN-SUCCESS-vs-LOGIN-FAILURE/m-p/132922#M4033 MattQ 2013-11-07T18:19:52Z https://community.splunk.com/t5/Security/LOGIN-SUCCESS-vs-LOGIN-FAILURE/m-p/132923#M4034 <P>Did you tried extracting LOGIN SUCCESS or LOGIN FAILURE using field extraction?</P> Thu, 07 Nov 2013 18:40:06 GMT https://community.splunk.com/t5/Security/LOGIN-SUCCESS-vs-LOGIN-FAILURE/m-p/132923#M4034 somesoni2 2013-11-07T18:40:06Z https://community.splunk.com/t5/Security/LOGIN-SUCCESS-vs-LOGIN-FAILURE/m-p/132924#M4035 <P>Use a field extraction like:</P> <PRE><CODE>… | rex field=_raw ".*LOGIN\s(?&lt;loginresult&gt;(SUCCESS|FAILURE)).*" </CODE></PRE> <P>There may be more elegant ways to do the regex, but that gives you the field named "loginresult" that will have either SUCCESS or FAILURE for each entry. That allows you to do reporting and matching on those fields. If the above works, then use that syntax to create a configured extract so the field is always available for that data source.</P> Thu, 07 Nov 2013 19:23:06 GMT https://community.splunk.com/t5/Security/LOGIN-SUCCESS-vs-LOGIN-FAILURE/m-p/132924#M4035 jtrucks 2013-11-07T19:23:06Z https://community.splunk.com/t5/Security/LOGIN-SUCCESS-vs-LOGIN-FAILURE/m-p/132925#M4036 <P>This definitely is breathing life into this. With this nudge I am getting there. Thank you</P> Thu, 07 Nov 2013 20:29:32 GMT https://community.splunk.com/t5/Security/LOGIN-SUCCESS-vs-LOGIN-FAILURE/m-p/132925#M4036 MattQ 2013-11-07T20:29:32Z https://community.splunk.com/t5/Security/LOGIN-SUCCESS-vs-LOGIN-FAILURE/m-p/132926#M4037 <P>This quick reference guide helped me to get started <A href="http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/SearchCheatsheet#Download_the_Splunk_Quick_Reference_Guide">http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/SearchCheatsheet#Download_the_Splunk_Quick_Reference_Guide</A></P> Thu, 07 Nov 2013 21:06:46 GMT https://community.splunk.com/t5/Security/LOGIN-SUCCESS-vs-LOGIN-FAILURE/m-p/132926#M4037 aelliott 2013-11-07T21:06:46Z