Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help with field extraction
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vikram1583
Explorer
09-25-2019
12:11 PM
[Response:"AccessToken":"XXXXX", "AuthenticationLevel":"2","AuthProviderInfo":"
[Response:"AccessToken":"XXXXX", "AuthenticationLevel":"1","AuthProviderInfo":"
"Response":{"ClientMessage":"Incorrect login.","Code":3011648,"Detail":"Incorrect login."},"Errors":[{"ClientMessage":"Incorrect login.","Code":3011648,"DefaultMessage":"Incorrect login.","StackTrace":null}]
from the above event i want to extract AuthenticationLevel":"2" as Count of MFA fails and AuthenticationLevel":"1" as Count of successful logins and Code":3011648 as Incorrect login code
Can someone help me with writing regex to extract these fields?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
09-25-2019
01:38 PM
Try this:
<your_index>
| rex field=_raw "AuthenticationLevel\":\"(?<AuthenticationLevel>\d+)"
| rex field=_raw "Code\":(?<Code>[^\,]+)"
| stats count(eval(AuthenticationLevel="2")) as "count of MFA fails" count(eval(AuthenticationLevel="1")) as "Successfil logins" count(eval(Code="3011648")) as "Incorrect login code"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
09-25-2019
01:38 PM
Try this:
<your_index>
| rex field=_raw "AuthenticationLevel\":\"(?<AuthenticationLevel>\d+)"
| rex field=_raw "Code\":(?<Code>[^\,]+)"
| stats count(eval(AuthenticationLevel="2")) as "count of MFA fails" count(eval(AuthenticationLevel="1")) as "Successfil logins" count(eval(Code="3011648")) as "Incorrect login code"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vikram1583
Explorer
09-25-2019
01:43 PM
Perfect Thanks
Get Updates on the Splunk Community!
Bridging the Gap: Splunk Helps Students Move from Classroom to Career
The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...
Preparing your Splunk Environment for OpenSSL3
The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...
Unleash Unified Security and Observability with Splunk Cloud Platform
Now Available on Microsoft AzureThursday, March 27, 2025 | 11AM PST / 2PM EST | Register NowStep boldly ...
