Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field Extraction help

aknsun
Path Finder
‎02-23-2020 04:44 AM

Hi,

I have events in the following format. It would either be a "Successful log in" or a "Unsuccessful login". I'm trying to do a CIM Mapping under Authentication Data Model and need the values to show up as either success or failure to map correctly. But struggling a bit with this.

1|Sun, 23 Feb 2020 22:31:10 +1000|INFO||||||user "ABCD" (1): Successful log in. (API Connection)

Thanks,
AKN

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-23-2020 07:09 AM

First you write a field extraction for this sourcetype to create a field called something like vendor_action which captures either Successful log in or Unsuccessful login strings. Then you create a lookup file like this:

vendor_action, action
Successful log in, success
Unsuccessful login, failure

Then you create an automatic lookup for this sourcetype to create the action field from the vendor_action field.
Done.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-23-2020 07:09 AM

First you write a field extraction for this sourcetype to create a field called something like vendor_action which captures either Successful log in or Unsuccessful login strings. Then you create a lookup file like this:

vendor_action, action
Successful log in, success
Unsuccessful login, failure

Then you create an automatic lookup for this sourcetype to create the action field from the vendor_action field.
Done.

Reply
Solved! Jump to solution

aknsun
Path Finder
‎02-23-2020 09:08 PM

@woodcock Thanks for the easiest of solutions. I had created the field extraction ealier. However, instead of automatic lookup method you suggested, I went on a winding path. lol

Thanks for the suggestion and it's working perfectly fine now.

Thanks,
AKN

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-24-2020 06:18 AM

In Splunk, the answer always looks so simple once you see it.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-23-2020 05:16 AM 
| makeresults 
| eval _raw="1|Sun, 23 Feb 2020 22:31:10 +1000|INFO||||||user \"ABCD\" (1): Successful log in. (API Connection)#1|Sun, 23 Feb 2020 22:32:10 +1000|INFO||||||user \"BCDE\" (1): Unsuccessful login. (API Connection)" 
| makemv delim="#" _raw 
| stats count by _raw
| rex "(?i)^.*\s(?<vendor_action>.*?successful.+in)"
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-23-2020 01:58 PM

@woodcock 's solution is better. I modified my answer.
To extract fields, try my REGEX OR Unsuccessful login|Successful log in , simply.

Reply
Get Updates on the Splunk Community!

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...