I would like to return a chart that has
LOGIN SUCCESS
LOGIN FAILURE
and TOTAL LOGIN ATTEMPTS.
In my logs I return raw text of LOGIN SUCCESS and LOGIN FAILURE.
I can search and return everything with "LOGIN" and chart that over time. How do I then subsearch for the raw text in those results for "SUCCESS" and separately "FAILURE" and return the count of all three in a timechart. (the top line - all login, should equal the total of the SUCCESS and FAILURE).
I am looking to produce this for trending to spot anomalies.
Essentially
... AND ("LOGIN SUCCESS" OR "LOGIN FAILURE") |timechart count
but how do I get this to return as two separate count lines?
Create a field extraction for the login action (see http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsatsearchtime ) then split your timechart by this field.
... | timechart count by login_action
(or whatever you choose to call your field)
You can then choose to stack your chart so that you get a total count in the chart that way.
Create a field extraction for the login action (see http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsatsearchtime ) then split your timechart by this field.
... | timechart count by login_action
(or whatever you choose to call your field)
You can then choose to stack your chart so that you get a total count in the chart that way.