Hi.
I'm trying to get only failed login attempts but while I could find the correct field, it's not as accurate as there might be a successful login after the session.
The only way I can think off to bypass this is to use "if" argument but I don't know how to involve "if" in SPL.
Here's the fields I currently use:
index=application sourcetype=globalscape cs_method="*user*" sc_status=530 - provides all failed logins.
index=application sourcetype=globalscape cs_method="*pass*" sc_status=230 - provides all successful logins.
Thank you for assisting!
This is a common use case. To find failures not followed by a success we look for both then take the most recent event for each user. Finally, discard the successes and you're left with users with failed logins.
index=application sourcetype=globalscape ((cs_method="*user*" sc_status=530) OR (cs_method="*pass*" sc_status=230))
| dedup username ```or some other unique per-user field```
```Discard successful logins```
| where (cs_method="*user*" AND sc_status=530)
What if the user failed to login, waited a day, tried again and got success.
Would it show it with your suggested query?
That would depend on your search window, but, yes, it's possible.