Splunk Search

stats count eval match issue

Motivator

I have a generic search that is looking for logins and there is a field that has two values – “authentication” for a successful login, and “failed login” for a failed login.

So I modified an existing search that looks for X amount >=3 attempts with success >0 and failed >=3 within 15 mins like so:

index="foo" host="bar" Application="app1"
| dedup _time
| eval time = _time
| bin time span=15m
| stats count("Activity Name") as Attempts, count(eval(match("Activity Name","FAILED LOGIN"))) as Failed, count(eval(match("Activity Name","AUTHENTICATION"))) as Success earliest(_time) as FirstAttempt latest(_time) as LatestAttempt by Username time
| rename time as _time
| search Attempts>=3 AND Success>0 AND Failed>=3
| eval FirstAttempt=strftime(FirstAttempt,"%x %X")
| eval LatestAttempt=strftime(LatestAttempt,"%x %X")

 

For some reason it is not liking the count(eval(match as if I shorten the search to the following, I see results for attempts, but nothing for success or failed

 

index="foo" host="bar" Application="app1"
| dedup _time
| eval time = _time
| bin time span=15m
| stats count("Activity Name") as Attempts, count(eval(match("Activity Name","FAILED LOGIN"))) as Failed, count(eval(match("Activity Name","AUTHENTICATION"))) as Success

 

Any help would be greatly appreciated

 

Thx

Labels (1)
Tags (3)
0 Karma

Path Finder
 
 
 
 

Hi,

I am not able to try this as I am not having logs.

But did we miss "if" in it??

Can you try like below?

count(eval(if((match("Activity Name" == "FAILED LOGIN"

Tags (1)
0 Karma

Motivator

@spitchika - thx for the reply. With the help of a fellow Splunker the issue was I need single quotes and not double quotes for field name in the eval commands as such:

index="foo" host="bar" Application="app1"
| dedup _time
| eval time = _time
| bin time span=15m
| stats count("Activity Name") as Attempts, count(eval(match('Activity Name',"FAILED LOGIN"))) as Failed, count(eval(match('Activity Name',"AUTHENTICATION"))) as Success earliest(_time) as FirstAttempt latest(_time) as LatestAttempt by Username time

 

0 Karma

Path Finder

@jwalzerpitt  Thank you for mentioning correct answer

0 Karma