Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to run an "if" argument in a search?

NizanCohen
Explorer
‎10-02-2022 05:34 AM

Hi.

I'm trying to get only failed login attempts but while I could find the correct field, it's not as accurate as there might be a successful login after the session.

The only way I can think off to bypass this is to use "if" argument but I don't know how to involve "if" in SPL.

Here's the fields I currently use:

index=application sourcetype=globalscape cs_method="*user*" sc_status=530 - provides all failed logins.

index=application sourcetype=globalscape cs_method="*pass*" sc_status=230 - provides all successful logins.

 

Thank you for assisting!

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-02-2022 07:24 AM

This is a common use case.  To find failures not followed by a success we look for both then take the most recent event for each user.  Finally, discard the successes and you're left with users with failed logins.

index=application sourcetype=globalscape ((cs_method="*user*" sc_status=530) OR (cs_method="*pass*" sc_status=230))
| dedup username ```or some other unique per-user field```
```Discard successful logins```
| where (cs_method="*user*" AND sc_status=530)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

NizanCohen
Explorer
‎10-02-2022 07:58 AM

What if the user failed to login, waited a day, tried again and got success. 

Would it show it with your suggested query?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-02-2022 12:22 PM

That would depend on your search window, but, yes, it's possible.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...