Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Monitoring for login failures - Events are on different lines

cj039165
New Member
‎07-18-2016 07:20 AM

I need to monitor for the following condition. The "PsftpManager.GetPsftpCommand Cmd:" string will get me the user ID that failed. The "PsftpManager.Execute SFTP returnCode: 1" tells me that the login failed. How do I link these two together. They are separated by 21 seconds in the logs. The "PsftpManager.GetPsftpCommand Cmd:" comes out in the logs for every successful and failed login attempt. I need to make sure I'm not showing a login ID for an event that worked and linking it to the return code:1. Hope I'm not being confusing.

Log Example:
07/03/2016 08:05:00 DEBUG PsftpManager.GetPsftpCommand Started
07/03/2016 08:05:00 DEBUG PsftpManager.GetPsftpCommand Cmd: c:\adminscripts\psftp.exe -P 9999 -l PRJB0Y2@9999999 -pw Hdx$9999 -b f:\sftproot\custdm10.hdx-609\prod\0\reports\inbound\himk\rad979F1.tmp -bc -v -batch 10.174.13.58 > f:\sftproot\custdm10.hdx-609\prod\0\reports\inbound\himk\radAAAE0.tmp
07/03/2016 08:05:21 ERROR PsftpManager.Execute SFTP returnCode: 1

Thanks

Tags (1)
0 Karma
Reply

sundareshr
Legend
‎07-18-2016 09:05 AM

Try this

...  | rex "(?<prg>PsftpManager)" | transaction startswith="PsftpManager.GetPsftpCommand Cmd" endswith="PsftpManager.Execute SFTP returnCode: 1" maxspan=30s | table prg duration eventcount
0 Karma
Reply

cj039165
New Member
‎07-18-2016 11:01 AM

This work well with only one exception. I'm seeing results with multiple sources in it. For example:

source = F:\SFTPROOT\custdm10.HDX-609\Fidelis.log source = F:\SFTPROOT\custdm10.HDX-609\Highmark.log

How do I get the results broken out so it's per source log?

Thanks!

0 Karma
Reply

somesoni2
Revered Legend
‎07-18-2016 08:52 AM

Have a look at transaction command.
http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Transaction

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...