Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

AWS Failed logins and coalesce command

samadmemon
Explorer
‎04-15-2019 09:19 AM

Hi All,

On tracking the failed logins for AWS console through Cloudtrail logs, errorCode for specific set of logs is not captured correctly.

CORRECT PARSING :

awsRegion: us-east-1

errorMessage: Failed authentication

eventID:

eventName: ConsoleLogin

eventSource: signin.amazonaws.com

eventTime:

eventType: AwsConsoleSignIn

eventVersion:

In the above log errorCode field is 'failure' which is true.

INCORRECT PARSING :

However, for the below log errorCode field is 'success'. Correct output should be errorCode=failure since it is a failed login whose user name is unknown.

awsRegion: us-east-1

errorMessage: No username found in supplied account

eventID:

eventName: CheckMfa

eventSource: signin.amazonaws.com

eventTime:

eventType: AwsConsoleSignIn

eventVersion: 1.05

PROPS.CONF :

Below is the entry for errorCode in props.conf

EVAL-errorCode = coalesce('errorCode',if(like('responseElements.ConsoleLogin',"Failure"),"failure", "success"),"success").

QUESTION :

Please suggest the way how we can achieve the following :

if errorMessage=No username found in supplied account OR errorMessage=Failed authentication then errorCode should be 'failure' else it should be a success.

what should be the entry in props.conf for EVAL-errorCode so that it can be overwritten in local folder.

Tags (1)
Reply

rmmiller
Contributor
‎11-19-2019 08:36 AM

coalesce is for dealing with null values when you have to deal with them. Also, like is for SQL-like comparisons, which you aren't really doing here.

CloudTrail inputs can be a little tricky. Are you sure they are being ingested correctly?

0 Karma
Reply

vcarbona
Path Finder
‎11-14-2019 08:32 AM

I'm thinking this field should not be overwritten rather a new field should be created indicating the status whether it is success or failure. Not sure if doing so will break anything else.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...