I have this splunk query that returns two fields, "audit_event_name" (the name of the event) and "failureRate" (the rate of failure).
index=jedi sourcetype=jedi_epf_audit
| stats count(eval(actvy_dispos_cd=4)) as Failure, count(eval(actvy_dispos_cd=1)) as Success, count(eval(actvy_dispos_cd=3)) as PolicyDenied by audit_event_name
| eval successRate = Success/(Success + Failure)
| eval successRate = round(successRate, 4)
| eval failureRate = (1 - successRate) * 100)
| where failureRate > 0.5
| fields audit_event_name, failureRate
However, there is this one audit_event_name "SUBMIT_LOGIN_CREDENTIALS_PCOS" that should have a failureRate > 0.6 instead. How would I implement that? I've tried using subsearches but it didn't work quite well for me. Thanks for any and all help!
Try like this
index=jedi sourcetype=jedi_epf_audit
| stats count(eval(actvy_dispos_cd=4)) as Failure, count(eval(actvy_dispos_cd=1)) as Success, count(eval(actvy_dispos_cd=3)) as PolicyDenied by audit_event_name
| eval successRate = Success/(Success + Failure)
| eval successRate = round(successRate, 4)
| eval failureRate = (1 - successRate) * 100)
| where (audit_event_name="SUBMIT_LOGIN_CREDENTIALS_PCOS" AND failureRate > 0.6) OR (audit_event_name!="SUBMIT_LOGIN_CREDENTIALS_PCOS" AND failureRate > 0.5)
| fields audit_event_name, failureRate
Try like this
index=jedi sourcetype=jedi_epf_audit
| stats count(eval(actvy_dispos_cd=4)) as Failure, count(eval(actvy_dispos_cd=1)) as Success, count(eval(actvy_dispos_cd=3)) as PolicyDenied by audit_event_name
| eval successRate = Success/(Success + Failure)
| eval successRate = round(successRate, 4)
| eval failureRate = (1 - successRate) * 100)
| where (audit_event_name="SUBMIT_LOGIN_CREDENTIALS_PCOS" AND failureRate > 0.6) OR (audit_event_name!="SUBMIT_LOGIN_CREDENTIALS_PCOS" AND failureRate > 0.5)
| fields audit_event_name, failureRate
This worked perfectly, thank you!