Splunk Search

How to run an "if" argument in a search?

NizanCohen
Explorer

Hi.

I'm trying to get only failed login attempts but while I could find the correct field, it's not as accurate as there might be a successful login after the session.

The only way I can think off to bypass this is to use "if" argument but I don't know how to involve "if" in SPL.

Here's the fields I currently use:

index=application sourcetype=globalscape cs_method="*user*" sc_status=530 - provides all failed logins.

index=application sourcetype=globalscape cs_method="*pass*" sc_status=230 - provides all successful logins.

 

Thank you for assisting!

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

This is a common use case.  To find failures not followed by a success we look for both then take the most recent event for each user.  Finally, discard the successes and you're left with users with failed logins.

index=application sourcetype=globalscape ((cs_method="*user*" sc_status=530) OR (cs_method="*pass*" sc_status=230))
| dedup username ```or some other unique per-user field```
```Discard successful logins```
| where (cs_method="*user*" AND sc_status=530)
---
If this reply helps you, Karma would be appreciated.
0 Karma

NizanCohen
Explorer

What if the user failed to login, waited a day, tried again and got success. 

Would it show it with your suggested query?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That would depend on your search window, but, yes, it's possible.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...