Solved: IF with some conditionals

jnahuelperez35 · ‎02-25-2018

I guys! i would like to count the fail and success logons on my SFTP. The events are
Successfull Logins from different accounts:
[40] Sat 24Feb18 01:53:49 - (1809219) HTTP_LOGIN: user: MYUSER; domain: cname.mydomain.com
[31] Sun 25Feb18 20:05:03 - (1836845) SSH2_MSG_USERAUTH_SUCCESS: successful login

Failed logins from different accounts:
[31] Sun 25Feb18 20:05:03 - (1836845) SSH2_MSG_USERAUTH_FAILURE: login failed
[41] Sat 24Feb18 01:53:38 - (1809216) HTTP_OKAY (200): SESS_FAIL

So i made this search:

    index="sftp" SSHCommand="MSG_USERAUTH_SUCCESS" OR http_command=LOGIN OR SSHCommand="MSG_USERAUTH_FAILURE" OR Event_Message="*SESS_FAIL*"  Event_Message="HTTP_OKAY (200): SESS_FAIL" 
| eval type=IF(SSHCommand="MSG_USERAUTH_SUCCESS" OR (Event_Message="HTTP_LOGIN: user:*"),"SUCCESS", IF(SSHCommand="MSG_USERAUTH_FAILURE" OR Event_Message="HTTP_OKAY (200): SESS_FAIL","FAIL","OTHER"))  
| stats  list(Event_Message) by type

But it returns "other" values that star with:
HTTP_LOGIN: user: MYUSER; domain: cname.mydomain.com

any ideas?

jnahuelperez35 · ‎02-25-2018

My mistake it was that i forgotten the "" with "LOGIN".
Please cancel my question.

View solution in original post

jnahuelperez35 · ‎02-25-2018

My mistake it was that i forgotten the "" with "LOGIN".
Please cancel my question.

IF with some conditionals

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...