Re: How to run an "if" argument in a search

NizanCohen · ‎10-02-2022

Hi.

I'm trying to get only failed login attempts but while I could find the correct field, it's not as accurate as there might be a successful login after the session.

The only way I can think off to bypass this is to use "if" argument but I don't know how to involve "if" in SPL.

Here's the fields I currently use:

index=application sourcetype=globalscape cs_method="*user*" sc_status=530 - provides all failed logins.

index=application sourcetype=globalscape cs_method="*pass*" sc_status=230 - provides all successful logins.

Thank you for assisting!

richgalloway · ‎10-02-2022

This is a common use case. To find failures not followed by a success we look for both then take the most recent event for each user. Finally, discard the successes and you're left with users with failed logins.

index=application sourcetype=globalscape ((cs_method="*user*" sc_status=530) OR (cs_method="*pass*" sc_status=230))
| dedup username ```or some other unique per-user field```
```Discard successful logins```
| where (cs_method="*user*" AND sc_status=530)

---
If this reply helps you, Karma would be appreciated.

NizanCohen · ‎10-02-2022

What if the user failed to login, waited a day, tried again and got success.

Would it show it with your suggested query?

richgalloway · ‎10-02-2022

That would depend on your search window, but, yes, it's possible.

---
If this reply helps you, Karma would be appreciated.

How to run an "if" argument in a search?

search job inspector

table

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?