[Response:"AccessToken":"XXXXX", "AuthenticationLevel":"2","AuthProviderInfo":"
[Response:"AccessToken":"XXXXX", "AuthenticationLevel":"1","AuthProviderInfo":"
"Response":{"ClientMessage":"Incorrect login.","Code":3011648,"Detail":"Incorrect login."},"Errors":[{"ClientMessage":"Incorrect login.","Code":3011648,"DefaultMessage":"Incorrect login.","StackTrace":null}]
from the above event i want to extract AuthenticationLevel":"2" as Count of MFA fails and AuthenticationLevel":"1" as Count of successful logins and Code":3011648 as Incorrect login code
Can someone help me with writing regex to extract these fields?
Try this:
<your_index>
| rex field=_raw "AuthenticationLevel\":\"(?<AuthenticationLevel>\d+)"
| rex field=_raw "Code\":(?<Code>[^\,]+)"
| stats count(eval(AuthenticationLevel="2")) as "count of MFA fails" count(eval(AuthenticationLevel="1")) as "Successfil logins" count(eval(Code="3011648")) as "Incorrect login code"
Try this:
<your_index>
| rex field=_raw "AuthenticationLevel\":\"(?<AuthenticationLevel>\d+)"
| rex field=_raw "Code\":(?<Code>[^\,]+)"
| stats count(eval(AuthenticationLevel="2")) as "count of MFA fails" count(eval(AuthenticationLevel="1")) as "Successfil logins" count(eval(Code="3011648")) as "Incorrect login code"
Perfect Thanks