Solved: IF with some conditionals

jnahuelperez35 · ‎02-25-2018

I guys! i would like to count the fail and success logons on my SFTP. The events are
Successfull Logins from different accounts:
[40] Sat 24Feb18 01:53:49 - (1809219) HTTP_LOGIN: user: MYUSER; domain: cname.mydomain.com
[31] Sun 25Feb18 20:05:03 - (1836845) SSH2_MSG_USERAUTH_SUCCESS: successful login

Failed logins from different accounts:
[31] Sun 25Feb18 20:05:03 - (1836845) SSH2_MSG_USERAUTH_FAILURE: login failed
[41] Sat 24Feb18 01:53:38 - (1809216) HTTP_OKAY (200): SESS_FAIL

So i made this search:

    index="sftp" SSHCommand="MSG_USERAUTH_SUCCESS" OR http_command=LOGIN OR SSHCommand="MSG_USERAUTH_FAILURE" OR Event_Message="*SESS_FAIL*"  Event_Message="HTTP_OKAY (200): SESS_FAIL" 
| eval type=IF(SSHCommand="MSG_USERAUTH_SUCCESS" OR (Event_Message="HTTP_LOGIN: user:*"),"SUCCESS", IF(SSHCommand="MSG_USERAUTH_FAILURE" OR Event_Message="HTTP_OKAY (200): SESS_FAIL","FAIL","OTHER"))  
| stats  list(Event_Message) by type

But it returns "other" values that star with:
HTTP_LOGIN: user: MYUSER; domain: cname.mydomain.com

any ideas?

jnahuelperez35 · ‎02-25-2018

My mistake it was that i forgotten the "" with "LOGIN".
Please cancel my question.

View solution in original post

jnahuelperez35 · ‎02-25-2018

My mistake it was that i forgotten the "" with "LOGIN".
Please cancel my question.

IF with some conditionals

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation