Splunk Search

How to run an "if" argument in a search?

NizanCohen
Explorer

Hi.

I'm trying to get only failed login attempts but while I could find the correct field, it's not as accurate as there might be a successful login after the session.

The only way I can think off to bypass this is to use "if" argument but I don't know how to involve "if" in SPL.

Here's the fields I currently use:

index=application sourcetype=globalscape cs_method="*user*" sc_status=530 - provides all failed logins.

index=application sourcetype=globalscape cs_method="*pass*" sc_status=230 - provides all successful logins.

 

Thank you for assisting!

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

This is a common use case.  To find failures not followed by a success we look for both then take the most recent event for each user.  Finally, discard the successes and you're left with users with failed logins.

index=application sourcetype=globalscape ((cs_method="*user*" sc_status=530) OR (cs_method="*pass*" sc_status=230))
| dedup username ```or some other unique per-user field```
```Discard successful logins```
| where (cs_method="*user*" AND sc_status=530)
---
If this reply helps you, Karma would be appreciated.
0 Karma

NizanCohen
Explorer

What if the user failed to login, waited a day, tried again and got success. 

Would it show it with your suggested query?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That would depend on your search window, but, yes, it's possible.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...