Splunk Search

Field Extraction help

aknsun
Path Finder

Hi,

I have events in the following format. It would either be a "Successful log in" or a "Unsuccessful login". I'm trying to do a CIM Mapping under Authentication Data Model and need the values to show up as either success or failure to map correctly. But struggling a bit with this.

1|Sun, 23 Feb 2020 22:31:10 +1000|INFO||||||user "ABCD" (1): Successful log in. (API Connection)

Thanks,
AKN

0 Karma
1 Solution

woodcock
Esteemed Legend

First you write a field extraction for this sourcetype to create a field called something like vendor_action which captures either Successful log in or Unsuccessful login strings. Then you create a lookup file like this:

vendor_action, action
Successful log in, success
Unsuccessful login, failure

Then you create an automatic lookup for this sourcetype to create the action field from the vendor_action field.
Done.

View solution in original post

woodcock
Esteemed Legend

First you write a field extraction for this sourcetype to create a field called something like vendor_action which captures either Successful log in or Unsuccessful login strings. Then you create a lookup file like this:

vendor_action, action
Successful log in, success
Unsuccessful login, failure

Then you create an automatic lookup for this sourcetype to create the action field from the vendor_action field.
Done.

View solution in original post

aknsun
Path Finder

@woodcock Thanks for the easiest of solutions. I had created the field extraction ealier. However, instead of automatic lookup method you suggested, I went on a winding path. lol

Thanks for the suggestion and it's working perfectly fine now.

Thanks,
AKN

woodcock
Esteemed Legend

In Splunk, the answer always looks so simple once you see it.

0 Karma

to4kawa
Ultra Champion
| makeresults 
| eval _raw="1|Sun, 23 Feb 2020 22:31:10 +1000|INFO||||||user \"ABCD\" (1): Successful log in. (API Connection)#1|Sun, 23 Feb 2020 22:32:10 +1000|INFO||||||user \"BCDE\" (1): Unsuccessful login. (API Connection)" 
| makemv delim="#" _raw 
| stats count by _raw
| rex "(?i)^.*\s(?<vendor_action>.*?successful.+in)"
0 Karma

to4kawa
Ultra Champion

@woodcock 's solution is better. I modified my answer.
To extract fields, try my REGEX OR Unsuccessful login|Successful log in , simply.

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!