Okay just testing the suggested settings and just made sure to put the new settings at the top of the props.config file and did a restart and it worked! Thank you for your help! ... View more

@mayurr98, thank you for the detailed post. I am still a Splunk novice so I just need to clarify a couple things before I make the change in production. The proper path for the props.conf file if I am not using a specific app for our ESXi logs will be /opt/splunk/etc/app/search/local ? Also according to the link, you provided it mentions putting the setting you provided at the top of the prop.config file. Just wanted to verify the location where I put the settings in the file matters. ... View more

Thank you myurr98, and thank you for your help! ... View more

Thanks I agree, that was going to be my backup plan if I could not get splunk to pull it out through it's regex wizard. Just wanted to avoid having to relearn it then forget it again five minutes later at all costs. Usually takes me about an hour and a few dents in my desk and head to rewrap my head around it then once the task is complete poof it's gone again haha. Thank you for providing a basic example at that was exactly what I was looking for to make the first field. ... View more

That is interesting I initially tried the renderXML switch in the stanza as I saw it on another post about pulling out the printer logs just to see what it looked like. Lo and behold it did exactly like it said it would and it was formatted in XML. Since I am a run of the mill Ops guy I saw that and said no no no give me back something I am used too and is more human readable. So I changed it back without really looking at it. If it does a better job of dealing with field extraction or at least a cleaner way of doing it I may have to turn it back on and play with what you suggested. If anything so I know what it is capable of doing going forward for future situations like this. Thank you for sugesting it! ... View more

I think I tried exactly what you recommended before I just ended up breaking up each new field into it's own extraction but ran into the same issue. When I tried putting in two the the fields into a single extraction then went back and tried to create a new extraction one one of the two remaining fields I needed I got the error. Then I tried as you suggested and un-checked the highlighted fields I was already extracting and still got the error after re-attempting to create the new field. I am sure did something in the wrong order and this would have worked but it was a dead end when I attempted it. ... View more

This was the quick fix to my issue, I just separated each extraction into it's own field extraction and I got it working enough to achieve the main goal. It's not the best solution but it worked in a pinch and kept me from needing to re-lean regex for the 100th time. (I have a super bad memory and am a bit lazy/in a hurry) 🙂 ... View more

@sbbadri That did the trick!!! Thank you!!! ... View more

I saw you posted this yesterday and I was not quite able to wrap my head around how sub-searches worked. Did some more digging till I read that when the search is executed it executes what ever is in the brackets first then runs the rest of the search. That made me realize its like a basic algebra problem and what I was doing in the bracket is just trying to get a list of the to 10 users and injecting them into the main search. After that I was able to quickly come up with a working search. I came back here to post my results and found they were almost identical to what you had already posted yesterday. If I wasn't so thick headed l would have got what I was looking for a day early thanks to you. Hahaha ... View more

You are right I want top 10 over the span of the entire search. What I am trying to achieve is getting a list of the 10 ten users who had the most failed attempts over the entire search period. Then put that list into a line or area chart that shows the number of failures each day for each user over the selected time period. In our case it will probably be 3-6 months. We are looking for users who have large number of failed login attempts over a long period of time but want to break it down into chunks like per day so we can see if all the failures for a given user was all in a single day or if it happens in smaller chunks consistently over each month or even each day. This would help tell us if the account was under attack or if the user uses sites like mint.com to login to login to our site to check account balances automatically. If they sign into a system like mint.com put in their credentials then change their credentials later on our site and forget to change them in mint.com we would expect to see consistent failed traffic each day from that account. ... View more

Sorry yes I had an issue submitting and re-posted it thinking it didn't work the first time, sorry. ... View more

The issue is I misspoke the SessionID is more like an even ID so ID itself is not the same between putting in your password and putting in the additional challenge questions as each one is counted as a separate event. So if one user logs in and has registered their PC to our site then they skip the challenge question section and only get a single "Validated" event logged but if they are new to the site or never register their computer to the site then they will get two "Validated" events each with a different Event ID + plus the same user name so it would count as two logins instead of one and I am back in the same boat I was in before you sent me your query. I don't see how the event ID will help in this situation but figured I would toss it out there to make sure I didn't miss anything. The query you gave me gets me close to the number I need with only a very small fudge factor, I was just trying to see if I can get an exact count but its not the end of the world. ... View more

Sorry for the late response, woodcock that look to do the trick and thanks DalJeanis for the correction! Just a note in case there is a better way to handle this, I did notice one of the fields did act as a very basic session ID that is localized to specific transactions and not overall to the user itself but more down to the level of a specific task as shown here: 4/17/17 03:45:10 - [SessionID 2] [UserNameHere] [Authenticate Validated] 4/17/17 03:45:10 - [SessionID 2] [UserNameHere] [Junk Event Here] 4/17/17 03:45:10 - [SessionID 2] [UserNameHere] [Junk Event Here] 4/17/17 03:45:10 - [SessionID 2] [UserNameHere] [Authentication Type Question] 4/17/17 03:45:10 - [SessionID 2] [UserNameHere] [Junk Event Here] 4/17/17 03:45:05 - [SessionID 2] [UserNameHere] [Challenge Request Sent] 4/17/17 03:45:05 - [SessionID 1] [UserNameHere] [Authenticate Validated] 4/17/17 03:45:05 - [SessionID 1] [UserNameHere] [Junk Event Here] 4/17/17 03:45:05 - [SessionID 1] [UserNameHere] [Junk Event Here] 4/17/17 03:45:05 - [SessionID 1] [UserNameHere] [Authentication Type Password] 4/17/17 03:45:05 - [SessionID 1] [UserNameHere] [Junk Event Here] 4/17/17 03:45:00 - [SessionID 1] [UserNameHere] [Challenge Request Sent] Also session ID is not very unique and probably ranges between 1-20 at any given point and you will see multiple of the same id show up given the limited range of IDs but they are different between the password events and the question events. Since they don't bridge the two together I feel I am still in the same boat but maybe someone can think of a way to use this to make it more accurate. ... View more

I had to update the example logs as it didn't reflect the second validation event group to show they were challenge questions and not password and username. ... View more

there is but it is a separate event the follows the first successful event , so it looks like this: 4/17/17 03:45:10 - [Info] [EventIDHere] [AuthenticateUser] [UserNameHere] validated 4/17/17 03:45:10 - [Info] [EventIDHere] [Junk Event] [UserNameHere] 4/17/17 03:45:10 - [Info] [EventIDHere] [Junk Event] [UserNameHere] 4/17/17 03:45:10 - [Debug] [EventIDHere] [Authenticate] [UserNameHere] 4/17/17 03:45:10 - [Info] [EventIDHere] [Authentication Type Challenge Questions] [UserNameHere] 4/17/17 03:45:05 - [Info] [EventIDHere] [UserNameHere] [Challenge Request Sent] 4/17/17 03:45:05 - [Info] [EventIDHere] [AuthenticateUser] [UserNameHere] validated 4/17/17 03:45:05 - [Info] [EventIDHere] [Junk Event] [UserNameHere] 4/17/17 03:45:05 - [Info] [EventIDHere] [Junk Event] [UserNameHere] 4/17/17 03:45:05 - [Debug] [EventIDHere] [Authenticate] [UserNameHere] 4/17/17 03:45:05 - [Info] [EventIDHere] [Authentication Type Password] [UserNameHere] 4/17/17 03:45:00 - [Info] [EventIDHere] [UserNameHere] [Challenge Request Sent] This is close to how it is laid out where it shows two groups of events one group being related to the password authentication and one being related to the questions authentication and there is no session ID or specific event ID that allows you to tell the two logins apart. The only way you know the event are related is they all share the same username and are within a few seconds of each other most of the time. ... View more

Oh I thought I would need to add a second radio button and tie them together, that makes more sense I will take another look at it then and see what it can do. Thank You! ... View more

I will mark it answered since you did hit on the key issue of the unset token when using the check box make it unusable. ... View more

I figured as much but for some reason I didn't like the idea of dealing with two inputs when I could set it to deal with only one. So I avoided looking down that path and just trying the dropdown, figured it would then give me room for more filter options in the future if I think of some more. ... View more