Solved: Help with field extraction

vikram1583 · ‎09-25-2019

[Response:"AccessToken":"XXXXX", "AuthenticationLevel":"2","AuthProviderInfo":"

[Response:"AccessToken":"XXXXX", "AuthenticationLevel":"1","AuthProviderInfo":"

"Response":{"ClientMessage":"Incorrect login.","Code":3011648,"Detail":"Incorrect login."},"Errors":[{"ClientMessage":"Incorrect login.","Code":3011648,"DefaultMessage":"Incorrect login.","StackTrace":null}]

from the above event i want to extract AuthenticationLevel":"2" as Count of MFA fails and  AuthenticationLevel":"1" as Count of successful logins and Code":3011648 as Incorrect login code

Can someone help me with writing regex to extract these fields?

mayurr98 · ‎09-25-2019

Try this:

<your_index>
| rex field=_raw "AuthenticationLevel\":\"(?<AuthenticationLevel>\d+)" 
| rex field=_raw "Code\":(?<Code>[^\,]+)" 
| stats count(eval(AuthenticationLevel="2")) as "count of MFA fails" count(eval(AuthenticationLevel="1")) as "Successfil logins" count(eval(Code="3011648")) as "Incorrect login code"

View solution in original post

mayurr98 · ‎09-25-2019

Try this:

<your_index>
| rex field=_raw "AuthenticationLevel\":\"(?<AuthenticationLevel>\d+)" 
| rex field=_raw "Code\":(?<Code>[^\,]+)" 
| stats count(eval(AuthenticationLevel="2")) as "count of MFA fails" count(eval(AuthenticationLevel="1")) as "Successfil logins" count(eval(Code="3011648")) as "Incorrect login code"

vikram1583 · ‎09-25-2019

Perfect Thanks

Help with field extraction

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?

Help with field extraction

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk