Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: stats count eval match issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stats count eval match issue
jwalzerpitt
Influencer
07-22-2020
08:27 AM
I have a generic search that is looking for logins and there is a field that has two values – “authentication” for a successful login, and “failed login” for a failed login.
So I modified an existing search that looks for X amount >=3 attempts with success >0 and failed >=3 within 15 mins like so:
index="foo" host="bar" Application="app1"
| dedup _time
| eval time = _time
| bin time span=15m
| stats count("Activity Name") as Attempts, count(eval(match("Activity Name","FAILED LOGIN"))) as Failed, count(eval(match("Activity Name","AUTHENTICATION"))) as Success earliest(_time) as FirstAttempt latest(_time) as LatestAttempt by Username time
| rename time as _time
| search Attempts>=3 AND Success>0 AND Failed>=3
| eval FirstAttempt=strftime(FirstAttempt,"%x %X")
| eval LatestAttempt=strftime(LatestAttempt,"%x %X")
For some reason it is not liking the count(eval(match as if I shorten the search to the following, I see results for attempts, but nothing for success or failed
index="foo" host="bar" Application="app1"
| dedup _time
| eval time = _time
| bin time span=15m
| stats count("Activity Name") as Attempts, count(eval(match("Activity Name","FAILED LOGIN"))) as Failed, count(eval(match("Activity Name","AUTHENTICATION"))) as Success
Any help would be greatly appreciated
Thx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
spitchika
Path Finder
07-22-2020
08:52 AM
Hi,
I am not able to try this as I am not having logs.
But did we miss "if" in it??
Can you try like below?
count(eval(if((match("Activity Name" == "FAILED LOGIN"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jwalzerpitt
Influencer
07-22-2020
10:24 AM
@spitchika - thx for the reply. With the help of a fellow Splunker the issue was I need single quotes and not double quotes for field name in the eval commands as such:
index="foo" host="bar" Application="app1"
| dedup _time
| eval time = _time
| bin time span=15m
| stats count("Activity Name") as Attempts, count(eval(match('Activity Name',"FAILED LOGIN"))) as Failed, count(eval(match('Activity Name',"AUTHENTICATION"))) as Success earliest(_time) as FirstAttempt latest(_time) as LatestAttempt by Username time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
spitchika
Path Finder
07-22-2020
11:54 AM
@jwalzerpitt Thank you for mentioning correct answer
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
