This is probably a very basic Splunk question, but as I move beyond basic searches, these are the kinds of use cases I'm needing help with:
Here's the scenario:
field sc_status contains the HTTP response code (either 401 or 200 in this case)
A successful Kerberos authentication is going to show a 401 response (auth challenge) followed by a corresponding 200 response when the auth occurs successfully.
An error condition exists if multiple 401 responses exist in the logs (lets say 20 or more) without a corresponding 200 response.
So - to show these in a search (or an alert), I need to be able to: find a 401 response, lookahead to the subsequent 20 events, and return results if there's not a corresponding 200 message.
The transaction command works great at grouping events into 401/200 login events, but is there a way to show 401s that AREN'T captured by the transaction?
Thanks in advance...
... View more