Elastic query

I have a query showing failed and successful logins on one line , I would like to further refine this to only show when there is a successful login and a failed login on the same row.

the query I have is as follows

criteria = log.id: is one of 0101039426, 0101039424

the output contains attacker IP, (count of failed logins) , (count of successful logins)
e.g

111.222.333.444 1 -
222.333.444.111 - 2
333.444.111.222 1 3 <<< this is only the one I want to see

Thanks for any assistance

Welcome to the forum,

111.222.333.444 1 -
222.333.444.111 - 2
333.444.111.222 1 3

are the 3 "columns" indexed to different fields in your elasticsearch index? e.g.

IPaddr, failed_login, successful_login

If yes, successful_login >= 1 and failed_login >= 1 should suffice (KQL).

If not ... it's a little bit harder.

alas not the field i need to evaluate is named logid which contains these 2 values
0101039426 = successful login
0101039424 = failed login

It would be helpful to share some sample documents as indexed into elasticsearch. Obfuscate if you must.

If logid is a field name within individual documents, and an individual document contains only one or the other of the 2 (and other) values, then you need an aggregation, not just a search, if I’m understanding your data. But I’m guessing really, I don’t know how your data is structured into documents until you tell me.

If this is the only field you have, to match 2nd column > 0 and 3rd column > 0 then probably best to use ES|QL:

ROW inputline="333.444.111.222 1 3"
| EVAL x = SPLIT(inputline, " ")
| EVAL ipAddr= MV_SLICE(x,0), successful_login=MV_SLICE(x,1), failed_login=MV_SLICE(x,2)
| WHERE TO_INTEGER(successful_login) > 0 and TO_INTEGER(failed_login) > 0

change ROW ... to FROM <yourindex> and substitute inputline with the name of your field which contains the values above.

Note this is dependent on the fields format being as given.

@TerryG1967 Were you able to resolve your problem?