Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to change the conditional by event name?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mauricio2354
Explorer
05-29-2018
12:10 PM
I have this splunk query that returns two fields, "audit_event_name" (the name of the event) and "failureRate" (the rate of failure).
index=jedi sourcetype=jedi_epf_audit
| stats count(eval(actvy_dispos_cd=4)) as Failure, count(eval(actvy_dispos_cd=1)) as Success, count(eval(actvy_dispos_cd=3)) as PolicyDenied by audit_event_name
| eval successRate = Success/(Success + Failure)
| eval successRate = round(successRate, 4)
| eval failureRate = (1 - successRate) * 100)
| where failureRate > 0.5
| fields audit_event_name, failureRate
However, there is this one audit_event_name "SUBMIT_LOGIN_CREDENTIALS_PCOS" that should have a failureRate > 0.6 instead. How would I implement that? I've tried using subsearches but it didn't work quite well for me. Thanks for any and all help!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-29-2018
12:42 PM
Try like this
index=jedi sourcetype=jedi_epf_audit
| stats count(eval(actvy_dispos_cd=4)) as Failure, count(eval(actvy_dispos_cd=1)) as Success, count(eval(actvy_dispos_cd=3)) as PolicyDenied by audit_event_name
| eval successRate = Success/(Success + Failure)
| eval successRate = round(successRate, 4)
| eval failureRate = (1 - successRate) * 100)
| where (audit_event_name="SUBMIT_LOGIN_CREDENTIALS_PCOS" AND failureRate > 0.6) OR (audit_event_name!="SUBMIT_LOGIN_CREDENTIALS_PCOS" AND failureRate > 0.5)
| fields audit_event_name, failureRate
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-29-2018
12:42 PM
Try like this
index=jedi sourcetype=jedi_epf_audit
| stats count(eval(actvy_dispos_cd=4)) as Failure, count(eval(actvy_dispos_cd=1)) as Success, count(eval(actvy_dispos_cd=3)) as PolicyDenied by audit_event_name
| eval successRate = Success/(Success + Failure)
| eval successRate = round(successRate, 4)
| eval failureRate = (1 - successRate) * 100)
| where (audit_event_name="SUBMIT_LOGIN_CREDENTIALS_PCOS" AND failureRate > 0.6) OR (audit_event_name!="SUBMIT_LOGIN_CREDENTIALS_PCOS" AND failureRate > 0.5)
| fields audit_event_name, failureRate
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mauricio2354
Explorer
05-30-2018
09:34 AM
This worked perfectly, thank you!
Get Updates on the Splunk Community!
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...
Splunk Observability for AI
Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...
🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler
From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0
mTLS wasn’t just a checkbox ...
