topic Re: Can you help me fix my Splunk search? in Splunk Search

Can you help me fix my Splunk search?

olawalePS — Sat, 21 Oct 2023 16:44:29 GMT

I am trying to create an alert that triggers if a user successfully logs in without first having been successfully authenticated via MFA. The query is below:

index="okta" sourcetype="OktaIM2:log" outcome.result=SUCCESS description="User login to Okta" OR description="Authentication of user via MFA" | transaction maxspan=1h actor.alternateId, src_ip | where (mvcount(description) == 1) | where (mvindex(description, "User login to Okta") == 0)

I keep getting the error

Error in 'where' command: The arguments to the 'mvindex' function are invalid.

Please help me correct my search and explain what I am doing wrong.

Re: Can you help me fix my Splunk search?

richgalloway — Sat, 21 Oct 2023 16:48:43 GMT

The second argument to mvindex must be an integer. I think perhaps you want something like this:

| where (mvindex(description, mvfind(description,"User login to Okta")) == 0)

or, even better

| where (isnotnull(mvfind(description, "User login to Okta")))

Re: Can you help me fix my Splunk search?

inventsekar — Sat, 21 Oct 2023 17:04:28 GMT

Hi, I am not sure of how the two where commands are working in your SPL.

but, the mvindex second argument must be a "number".

mvindex(<mv>, <start>, <end>)

This function returns a subset of the multivalue field using the start and end index values.

Usage.....The <mv> argument must be a multivalue field. The <start> and <end> indexes must be numbers.

The <mv> and <start> arguments are required. The <end> argument is optional.

https://docs.splunk.com/Documentation/SCS/current/SearchReference/MultivalueEvalFunctions

Re: Can you help me fix my Splunk search?

olawalePS — Sun, 29 Oct 2023 02:58:44 GMT

The first one still threw an error but the second worked fine, thanks