Splunk Search

IF with some conditionals

Path Finder

I guys! i would like to count the fail and success logons on my SFTP. The events are
Successfull Logins from different accounts:
[40] Sat 24Feb18 01:53:49 - (1809219) HTTP_LOGIN: user: MYUSER; domain: cname.mydomain.com
[31] Sun 25Feb18 20:05:03 - (1836845) SSH2_MSG_USERAUTH_SUCCESS: successful login

Failed logins from different accounts:
[31] Sun 25Feb18 20:05:03 - (1836845) SSH2_MSG_USERAUTH_FAILURE: login failed
[41] Sat 24Feb18 01:53:38 - (1809216) HTTP_OKAY (200): SESS_FAIL

So i made this search:

    index="sftp" SSHCommand="MSG_USERAUTH_SUCCESS" OR http_command=LOGIN OR SSHCommand="MSG_USERAUTH_FAILURE" OR Event_Message="*SESS_FAIL*"  Event_Message="HTTP_OKAY (200): SESS_FAIL" 
| eval type=IF(SSHCommand="MSG_USERAUTH_SUCCESS" OR (Event_Message="HTTP_LOGIN: user:*"),"SUCCESS", IF(SSHCommand="MSG_USERAUTH_FAILURE" OR Event_Message="HTTP_OKAY (200): SESS_FAIL","FAIL","OTHER"))  
| stats  list(Event_Message) by type

But it returns "other" values that star with:
HTTP_LOGIN: user: MYUSER; domain: cname.mydomain.com

any ideas?

0 Karma
1 Solution

Path Finder

My mistake it was that i forgotten the "" with "LOGIN".
Please cancel my question.

View solution in original post

0 Karma

Path Finder

My mistake it was that i forgotten the "" with "LOGIN".
Please cancel my question.

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!