Splunk Search

How to change the conditional by event name?

mauricio2354
Explorer

I have this splunk query that returns two fields, "audit_event_name" (the name of the event) and "failureRate" (the rate of failure).

index=jedi sourcetype=jedi_epf_audit  
          | stats count(eval(actvy_dispos_cd=4)) as Failure, count(eval(actvy_dispos_cd=1)) as Success, count(eval(actvy_dispos_cd=3)) as PolicyDenied by audit_event_name 
          | eval successRate = Success/(Success + Failure)
          | eval successRate = round(successRate, 4) 
          | eval failureRate = (1 - successRate) * 100) 
          | where failureRate >  0.5
          | fields audit_event_name, failureRate

However, there is this one audit_event_name "SUBMIT_LOGIN_CREDENTIALS_PCOS" that should have a failureRate > 0.6 instead. How would I implement that? I've tried using subsearches but it didn't work quite well for me. Thanks for any and all help!

0 Karma
1 Solution

somesoni2
Revered Legend

Try like this

index=jedi sourcetype=jedi_epf_audit  
           | stats count(eval(actvy_dispos_cd=4)) as Failure, count(eval(actvy_dispos_cd=1)) as Success, count(eval(actvy_dispos_cd=3)) as PolicyDenied by audit_event_name 
           | eval successRate = Success/(Success + Failure)
           | eval successRate = round(successRate, 4) 
           | eval failureRate = (1 - successRate) * 100) 
           | where (audit_event_name="SUBMIT_LOGIN_CREDENTIALS_PCOS" AND failureRate >  0.6) OR (audit_event_name!="SUBMIT_LOGIN_CREDENTIALS_PCOS" AND failureRate >  0.5)
           | fields audit_event_name, failureRate

View solution in original post

somesoni2
Revered Legend

Try like this

index=jedi sourcetype=jedi_epf_audit  
           | stats count(eval(actvy_dispos_cd=4)) as Failure, count(eval(actvy_dispos_cd=1)) as Success, count(eval(actvy_dispos_cd=3)) as PolicyDenied by audit_event_name 
           | eval successRate = Success/(Success + Failure)
           | eval successRate = round(successRate, 4) 
           | eval failureRate = (1 - successRate) * 100) 
           | where (audit_event_name="SUBMIT_LOGIN_CREDENTIALS_PCOS" AND failureRate >  0.6) OR (audit_event_name!="SUBMIT_LOGIN_CREDENTIALS_PCOS" AND failureRate >  0.5)
           | fields audit_event_name, failureRate

View solution in original post

mauricio2354
Explorer

This worked perfectly, thank you!

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!