Splunk Search

How to find RSA connection failures for a user?

New Member

I need a script that will find rsa connection failures for a user

0 Karma


Most RSA connection failures have the words "connection failure" in them, although the capitalization and the surrounding words change based on the type of failure. Start with...

index=myindex sourcetype=mysourcetype "connection" "failed" "someuserid" | head 1

...and then use the specific wording of the record you find to craft a more careful way of extracting them. Check whether the userid appears in a specific extracted field or not, and so on. Once you have that information, then you can make a better query than that one.

If you don't know the sourcetype or index they are in, then use * and keep narrowing it down until you figure it out.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!