Is it possible to have eventtypes for user authentication with different events?

Is it possible to have eventtypes for user authentication with different events? I am working on a TA for Aruba user authentication logs. I have the action=success completed event **522008** but action=failure will be from another event **522042** (not the same event ID). **SAMPLE EVENTS** *Successful* Oct 19 04:19:24 awc1 authmgr[1883]: <522008> User Authentication Successful: username=john.doe MAC=08:15:96:ab:ac:e0 IP=192.168.2.10 role=authenticated VLAN=601 AP=102.168.2.1 SSID=corp AAA profile=Auth_AaaProfile auth method=802.1x auth server=radius.lab.com *Failed* Oct 19 23:57:03 awc1 authmgr[1883]: <522042> User Authentication Failed: username=john.doe MAC=08:15:96:ab:ac:e0 IP=0.0.0.0 auth method=802.1x auth server=radius.lab.com **CONFIGS** *eventtypes.conf* [aruba_user_authentication] search = sourcetype=aruba_syslog Error_ID=522008 #tags = authentication default *transforms.conf* [aruba_user_action] REGEX = Authentication\s+(Successful|failed) FORMAT = aruba_user_action::$1 Thanks.