Splunk Search

Help with field extraction

vikram1583
Explorer
[Response:"AccessToken":"XXXXX", "AuthenticationLevel":"2","AuthProviderInfo":"

[Response:"AccessToken":"XXXXX", "AuthenticationLevel":"1","AuthProviderInfo":"

"Response":{"ClientMessage":"Incorrect login.","Code":3011648,"Detail":"Incorrect login."},"Errors":[{"ClientMessage":"Incorrect login.","Code":3011648,"DefaultMessage":"Incorrect login.","StackTrace":null}]

from the above event i want to extract AuthenticationLevel":"2" as Count of MFA fails and  AuthenticationLevel":"1" as Count of successful logins and Code":3011648 as Incorrect login code

Can someone help me with writing regex to extract these fields?

0 Karma
1 Solution

mayurr98
Super Champion

Try this:

<your_index>
| rex field=_raw "AuthenticationLevel\":\"(?<AuthenticationLevel>\d+)" 
| rex field=_raw "Code\":(?<Code>[^\,]+)" 
| stats count(eval(AuthenticationLevel="2")) as "count of MFA fails" count(eval(AuthenticationLevel="1")) as "Successfil logins" count(eval(Code="3011648")) as "Incorrect login code"

View solution in original post

0 Karma

mayurr98
Super Champion

Try this:

<your_index>
| rex field=_raw "AuthenticationLevel\":\"(?<AuthenticationLevel>\d+)" 
| rex field=_raw "Code\":(?<Code>[^\,]+)" 
| stats count(eval(AuthenticationLevel="2")) as "count of MFA fails" count(eval(AuthenticationLevel="1")) as "Successfil logins" count(eval(Code="3011648")) as "Incorrect login code"
0 Karma

vikram1583
Explorer

Perfect Thanks

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...