https://community.splunk.com/t5/Splunk-Search/Is-this-the-correct-way-to-extract-successful-and-failed-logins/m-p/216702#M63623 <P>@somesoni2 Awesome, thanks a lot but failed regex is added NULL user and I am unable to figure out.</P> Wed, 20 Apr 2016 07:13:51 GMT sureshsala 2016-04-20T07:13:51Z https://community.splunk.com/t5/Splunk-Search/Is-this-the-correct-way-to-extract-successful-and-failed-logins/m-p/216699#M63620 <P>I need help with the regular expression for field extraction of login status:</P> <P>Successful: </P> <PRE><CODE>source="/var/log/secure" | rex field=_raw " user (?[^ ]+)"| search user="*" | chart count BY host,user </CODE></PRE> <P>Failed: </P> <PRE><CODE>source="/var/log/secure" | rex field=_raw " invalid user (?[^ ]+)"| search user="*" | chart count BY host,user </CODE></PRE> <P>Is this the right way to do it, or there is a better way?</P> <P>Please help.</P> Tue, 19 Apr 2016 14:02:30 GMT https://community.splunk.com/t5/Splunk-Search/Is-this-the-correct-way-to-extract-successful-and-failed-logins/m-p/216699#M63620 sureshsala 2016-04-19T14:02:30Z https://community.splunk.com/t5/Splunk-Search/Is-this-the-correct-way-to-extract-successful-and-failed-logins/m-p/216700#M63621 <P>What does the log entry look like? Can you share one event with successful logon and one with failed logon?</P> Tue, 19 Apr 2016 18:18:09 GMT https://community.splunk.com/t5/Splunk-Search/Is-this-the-correct-way-to-extract-successful-and-failed-logins/m-p/216700#M63621 sundareshr 2016-04-19T18:18:09Z https://community.splunk.com/t5/Splunk-Search/Is-this-the-correct-way-to-extract-successful-and-failed-logins/m-p/216701#M63622 <P>Assuming your regex is correctly extracting the users, I would try like this (I would always throw the index and sourcetype as well)</P> <P>Successfull </P> <PRE><CODE>index=yourIndex sourcetype=yourSourcetype source="/var/log/secure" "session opened for user " | rex field=_raw "session opened for user (?&lt;user&gt;[^ ]+)" | chart count BY host,user </CODE></PRE> <P>Failed</P> <PRE><CODE>index=yourIndex sourcetype=yourSourcetype source="/var/log/secure" fail OR invalid | rex field=_raw " invalid user (?&lt;user&gt;[^ ]+)" | chart count BY host,user </CODE></PRE> Tue, 19 Apr 2016 18:44:46 GMT https://community.splunk.com/t5/Splunk-Search/Is-this-the-correct-way-to-extract-successful-and-failed-logins/m-p/216701#M63622 somesoni2 2016-04-19T18:44:46Z https://community.splunk.com/t5/Splunk-Search/Is-this-the-correct-way-to-extract-successful-and-failed-logins/m-p/216702#M63623 <P>@somesoni2 Awesome, thanks a lot but failed regex is added NULL user and I am unable to figure out.</P> Wed, 20 Apr 2016 07:13:51 GMT https://community.splunk.com/t5/Splunk-Search/Is-this-the-correct-way-to-extract-successful-and-failed-logins/m-p/216702#M63623 sureshsala 2016-04-20T07:13:51Z https://community.splunk.com/t5/Splunk-Search/Is-this-the-correct-way-to-extract-successful-and-failed-logins/m-p/216703#M63624 <P>Answer: </P> <PRE><CODE>source="/var/log/secure" input_userauth_request AND (fail OR invalid) | rex field=_raw " invalid user (?[^ ]+)" | chart count BY host,user </CODE></PRE> Wed, 20 Apr 2016 08:01:16 GMT https://community.splunk.com/t5/Splunk-Search/Is-this-the-correct-way-to-extract-successful-and-failed-logins/m-p/216703#M63624 sureshsala 2016-04-20T08:01:16Z