Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

LOGIN SUCCESS vs LOGIN FAILURE

MattQ
Explorer
‎11-07-2013 08:53 AM

I have logs that return the basic text of "LOGIN SUCCESS" and "LOGIN FAILURE" but I don't seem to be able to make this a unique and interesting field. I want to be able to search logs and return a count by IP addresses of everything trying to log in and then sort those with counts by SUCCESS or FAILURE

This seems incredibly simple but I am failing at it

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jtrucks
Splunk Employee
Splunk Employee
‎11-07-2013 11:23 AM

Use a field extraction like:

… | rex field=_raw ".*LOGIN\s(?<loginresult>(SUCCESS|FAILURE)).*"

There may be more elegant ways to do the regex, but that gives you the field named "loginresult" that will have either SUCCESS or FAILURE for each entry. That allows you to do reporting and matching on those fields. If the above works, then use that syntax to create a configured extract so the field is always available for that data source.

--
Jesse Trucks
Minister of Magic

View solution in original post

Reply
Solved! Jump to solution
Solution

jtrucks
Splunk Employee
Splunk Employee
‎11-07-2013 11:23 AM

Use a field extraction like:

… | rex field=_raw ".*LOGIN\s(?<loginresult>(SUCCESS|FAILURE)).*"

There may be more elegant ways to do the regex, but that gives you the field named "loginresult" that will have either SUCCESS or FAILURE for each entry. That allows you to do reporting and matching on those fields. If the above works, then use that syntax to create a configured extract so the field is always available for that data source.

--
Jesse Trucks
Minister of Magic
Reply
Solved! Jump to solution

aelliott
Motivator
‎11-07-2013 01:06 PM

This quick reference guide helped me to get started http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/SearchCheatsheet#Download_the_Splunk...

0 Karma
Reply
Solved! Jump to solution

MattQ
Explorer
‎11-07-2013 12:29 PM

This definitely is breathing life into this. With this nudge I am getting there. Thank you

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-07-2013 10:40 AM

Did you tried extracting LOGIN SUCCESS or LOGIN FAILURE using field extraction?

0 Karma
Reply
Solved! Jump to solution

MattQ
Explorer
‎11-07-2013 10:19 AM

Here is a scrubbed version. Log Source and Sourcetype are defined and working well. LOGIN FAILURE looks exactly like LOGIN SUCCESS and is just plain text and doesn't return as an interesting field. The IP is out there and I can get a count to return by IP... but then I also want to see if these attempts have a SUCCESS or FAILURE associated.

<13>Nov 7 11:14:36 log source 07-Nov-2013 11:14:36 - LOGIN SUCCESS|User Attempt|0|IP list|xxx.xxx.xxx.xxx

Thank you

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-07-2013 10:04 AM

Would you please provide sample log entries?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...