- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Field Extraction help
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have events in the following format. It would either be a "Successful log in" or a "Unsuccessful login". I'm trying to do a CIM Mapping under Authentication Data Model and need the values to show up as either success or failure to map correctly. But struggling a bit with this.
1|Sun, 23 Feb 2020 22:31:10 +1000|INFO||||||user "ABCD" (1): Successful log in. (API Connection)
Thanks,
AKN
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First you write a field extraction for this sourcetype to create a field called something like vendor_action which captures either Successful log in or Unsuccessful login strings. Then you create a lookup file like this:
vendor_action, action
Successful log in, success
Unsuccessful login, failure
Then you create an automatic lookup for this sourcetype to create the action field from the vendor_action field.
Done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First you write a field extraction for this sourcetype to create a field called something like vendor_action which captures either Successful log in or Unsuccessful login strings. Then you create a lookup file like this:
vendor_action, action
Successful log in, success
Unsuccessful login, failure
Then you create an automatic lookup for this sourcetype to create the action field from the vendor_action field.
Done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@woodcock Thanks for the easiest of solutions. I had created the field extraction ealier. However, instead of automatic lookup method you suggested, I went on a winding path. lol
Thanks for the suggestion and it's working perfectly fine now.
Thanks,
AKN
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In Splunk, the answer always looks so simple once you see it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="1|Sun, 23 Feb 2020 22:31:10 +1000|INFO||||||user \"ABCD\" (1): Successful log in. (API Connection)#1|Sun, 23 Feb 2020 22:32:10 +1000|INFO||||||user \"BCDE\" (1): Unsuccessful login. (API Connection)"
| makemv delim="#" _raw
| stats count by _raw
| rex "(?i)^.*\s(?<vendor_action>.*?successful.+in)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@woodcock 's solution is better. I modified my answer.
To extract fields, try my REGEX OR Unsuccessful login|Successful log in , simply.
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
