Splunk Search

How to change the conditional by event name?

mauricio2354
Explorer

I have this splunk query that returns two fields, "audit_event_name" (the name of the event) and "failureRate" (the rate of failure).

index=jedi sourcetype=jedi_epf_audit  
          | stats count(eval(actvy_dispos_cd=4)) as Failure, count(eval(actvy_dispos_cd=1)) as Success, count(eval(actvy_dispos_cd=3)) as PolicyDenied by audit_event_name 
          | eval successRate = Success/(Success + Failure)
          | eval successRate = round(successRate, 4) 
          | eval failureRate = (1 - successRate) * 100) 
          | where failureRate >  0.5
          | fields audit_event_name, failureRate

However, there is this one audit_event_name "SUBMIT_LOGIN_CREDENTIALS_PCOS" that should have a failureRate > 0.6 instead. How would I implement that? I've tried using subsearches but it didn't work quite well for me. Thanks for any and all help!

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this

index=jedi sourcetype=jedi_epf_audit  
           | stats count(eval(actvy_dispos_cd=4)) as Failure, count(eval(actvy_dispos_cd=1)) as Success, count(eval(actvy_dispos_cd=3)) as PolicyDenied by audit_event_name 
           | eval successRate = Success/(Success + Failure)
           | eval successRate = round(successRate, 4) 
           | eval failureRate = (1 - successRate) * 100) 
           | where (audit_event_name="SUBMIT_LOGIN_CREDENTIALS_PCOS" AND failureRate >  0.6) OR (audit_event_name!="SUBMIT_LOGIN_CREDENTIALS_PCOS" AND failureRate >  0.5)
           | fields audit_event_name, failureRate

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try like this

index=jedi sourcetype=jedi_epf_audit  
           | stats count(eval(actvy_dispos_cd=4)) as Failure, count(eval(actvy_dispos_cd=1)) as Success, count(eval(actvy_dispos_cd=3)) as PolicyDenied by audit_event_name 
           | eval successRate = Success/(Success + Failure)
           | eval successRate = round(successRate, 4) 
           | eval failureRate = (1 - successRate) * 100) 
           | where (audit_event_name="SUBMIT_LOGIN_CREDENTIALS_PCOS" AND failureRate >  0.6) OR (audit_event_name!="SUBMIT_LOGIN_CREDENTIALS_PCOS" AND failureRate >  0.5)
           | fields audit_event_name, failureRate

mauricio2354
Explorer

This worked perfectly, thank you!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...