https://community.splunk.com/t5/Splunk-Search/How-to-seperate-succefully-login-attempt-from-invlaid-Login-id/m-p/682914#M233256 <P>Hi Team</P><P>Can anyone help me with Splunk search query to split the successful login from invalid?&nbsp;</P><P>Ex - I want to exclude OK from the search, want to see only the locket out, invalid, invalid parameter</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jaibalaraman_0-1712097718453.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/30138iFF6E4ED978464054/image-size/medium?v=v2&amp;px=400" role="button" title="jaibalaraman_0-1712097718453.png" alt="jaibalaraman_0-1712097718453.png" /></span></P><P>&nbsp;</P><P>Thanks&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 02 Apr 2024 22:43:17 GMT jaibalaraman 2024-04-02T22:43:17Z https://community.splunk.com/t5/Splunk-Search/How-to-seperate-succefully-login-attempt-from-invlaid-Login-id/m-p/682914#M233256 <P>Hi Team</P><P>Can anyone help me with Splunk search query to split the successful login from invalid?&nbsp;</P><P>Ex - I want to exclude OK from the search, want to see only the locket out, invalid, invalid parameter</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jaibalaraman_0-1712097718453.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/30138iFF6E4ED978464054/image-size/medium?v=v2&amp;px=400" role="button" title="jaibalaraman_0-1712097718453.png" alt="jaibalaraman_0-1712097718453.png" /></span></P><P>&nbsp;</P><P>Thanks&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 02 Apr 2024 22:43:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-seperate-succefully-login-attempt-from-invlaid-Login-id/m-p/682914#M233256 jaibalaraman 2024-04-02T22:43:17Z https://community.splunk.com/t5/Splunk-Search/How-to-seperate-succefully-login-attempt-from-invlaid-Login-id/m-p/682919#M233259 <LI-CODE lang="markup">| where event.Properties.errMessage != "OK"</LI-CODE> Tue, 02 Apr 2024 22:51:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-seperate-succefully-login-attempt-from-invlaid-Login-id/m-p/682919#M233259 ITWhisperer 2024-04-02T22:51:12Z https://community.splunk.com/t5/Splunk-Search/How-to-seperate-succefully-login-attempt-from-invlaid-Login-id/m-p/682921#M233261 <P>Or based on your other question, you can directly set that criteria in the initial search, i.e.</P><LI-CODE lang="markup">index=test event.Properties.errMessage!=OK</LI-CODE> Tue, 02 Apr 2024 22:56:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-seperate-succefully-login-attempt-from-invlaid-Login-id/m-p/682921#M233261 bowesmana 2024-04-02T22:56:31Z https://community.splunk.com/t5/Splunk-Search/How-to-seperate-succefully-login-attempt-from-invlaid-Login-id/m-p/682930#M233263 <P>&nbsp;</P><P>&nbsp;</P><P>I tried,, but the search returning no result.&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jaibalaraman_1-1712100663756.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/30143i804B92FC33F5C2F4/image-size/medium?v=v2&amp;px=400" role="button" title="jaibalaraman_1-1712100663756.png" alt="jaibalaraman_1-1712100663756.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 02 Apr 2024 23:31:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-seperate-succefully-login-attempt-from-invlaid-Login-id/m-p/682930#M233263 jaibalaraman 2024-04-02T23:31:12Z https://community.splunk.com/t5/Splunk-Search/How-to-seperate-succefully-login-attempt-from-invlaid-Login-id/m-p/682933#M233265 <P>Whenever you use a field name in an '<STRONG>eval</STRONG>' expression (where requires an eval expression), you need to use single quotes around the field name if the field name is on the right hand side of the eval statement and contains non-simple characters (in this case the full stop), so&nbsp;</P><LI-CODE lang="markup">| where 'event.Properties.errMessage' != "OK"</LI-CODE><P>Note the sometimes confusing use of single and double quotes used, for example this statement</P><LI-CODE lang="markup">| eval event.Properties.errMessage="Hello"</LI-CODE><P>does NOT need quotes on the left hand side of the statement.</P><P>Where necessary, the left hand side use of quotes requires double quotes, so if your field name has a space, you would need</P><LI-CODE lang="markup">| eval "My Field With Spaces"="Hello"</LI-CODE><P>&nbsp;</P> Wed, 03 Apr 2024 00:25:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-seperate-succefully-login-attempt-from-invlaid-Login-id/m-p/682933#M233265 bowesmana 2024-04-03T00:25:08Z https://community.splunk.com/t5/Splunk-Search/How-to-seperate-succefully-login-attempt-from-invlaid-Login-id/m-p/683130#M233315 <P>Hi&nbsp;</P><P>How do i seperate multiple error instead " OK "</P><P>Invalid password, reset password, permission denied etc</P><P>&nbsp;</P><P>index=events event.Properties.errMessage != "Invalid LoginID","Account Temporarily Locked Out","Permission denied""Unauthorized user","Account Pending Verification","Invalid parameter value"<BR />| stats count by event.Properties.errMessage</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jaibalaraman_0-1712200150562.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/30185iA016A87E003FBC5A/image-size/medium?v=v2&amp;px=400" role="button" title="jaibalaraman_0-1712200150562.png" alt="jaibalaraman_0-1712200150562.png" /></span></P><P>&nbsp;</P> Thu, 04 Apr 2024 03:09:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-seperate-succefully-login-attempt-from-invlaid-Login-id/m-p/683130#M233315 jaibalaraman 2024-04-04T03:09:16Z https://community.splunk.com/t5/Splunk-Search/How-to-seperate-succefully-login-attempt-from-invlaid-Login-id/m-p/683204#M233329 <P>Try something like this</P><LI-CODE lang="markup">index=events event.Properties.errMessage!="Invalid LoginID" event.Properties.errMessage!="Account Temporarily Locked Out" event.Properties.errMessage!="Permission denied" event.Properties.errMessage!="Unauthorized user" event.Properties.errMessage!="Account Pending Verification" event.Properties.errMessage!="Invalid parameter value" | stats count by event.Properties.errMessage</LI-CODE> Thu, 04 Apr 2024 08:55:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-seperate-succefully-login-attempt-from-invlaid-Login-id/m-p/683204#M233329 ITWhisperer 2024-04-04T08:55:02Z