https://community.splunk.com/t5/Security/Authentication-Search-Queries/m-p/158670#M4757 <P>Hi If you can provide a sample data it will be very easy to help you.</P> <OL> <LI>your search can look like this: a-assuming you have a security file. source=security_log_file failed login ted Answer | timecart span = 30d limit =10 .......</LI> </OL> <P>b. assuming you want to have it directly from splunk:</P> <P>index = _audit action = failure earliest=-30d | stats values(user) AS Users, values(action) |top limit =10 action</P> <P>OR<BR /> index = _audit action = failure earliest =-30d|top limit=10 action</P> <P>2.Average number of user check outs by region.</P> <P>if you have a field in which you keep number of user( may be per month, day, ..........), do something like this:</P> <P>.........|stats avg(your_field) by region</P> <P>NOTE: your search depends on you data so please take time to post your sample data next time.</P> <P>see <BR /> docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Whatsinthismanual</P> Mon, 28 Sep 2020 19:38:14 GMT stephane_cyrill 2020-09-28T19:38:14Z https://community.splunk.com/t5/Security/Authentication-Search-Queries/m-p/158669#M4756 <P>Hi,</P> <P>I am new to Splunk ,I want to get reports for the below.Please help in writing queires for the below scenarios.</P> <P>1.Top 10 failed logins over the past 30 days<BR /> 2.Average number of user check outs by region.</P> <P>Thanks in Advance</P> Tue, 28 Apr 2015 00:04:57 GMT https://community.splunk.com/t5/Security/Authentication-Search-Queries/m-p/158669#M4756 luckymaddy 2015-04-28T00:04:57Z https://community.splunk.com/t5/Security/Authentication-Search-Queries/m-p/158670#M4757 <P>Hi If you can provide a sample data it will be very easy to help you.</P> <OL> <LI>your search can look like this: a-assuming you have a security file. source=security_log_file failed login ted Answer | timecart span = 30d limit =10 .......</LI> </OL> <P>b. assuming you want to have it directly from splunk:</P> <P>index = _audit action = failure earliest=-30d | stats values(user) AS Users, values(action) |top limit =10 action</P> <P>OR<BR /> index = _audit action = failure earliest =-30d|top limit=10 action</P> <P>2.Average number of user check outs by region.</P> <P>if you have a field in which you keep number of user( may be per month, day, ..........), do something like this:</P> <P>.........|stats avg(your_field) by region</P> <P>NOTE: your search depends on you data so please take time to post your sample data next time.</P> <P>see <BR /> docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Whatsinthismanual</P> Mon, 28 Sep 2020 19:38:14 GMT https://community.splunk.com/t5/Security/Authentication-Search-Queries/m-p/158670#M4757 stephane_cyrill 2020-09-28T19:38:14Z https://community.splunk.com/t5/Security/Authentication-Search-Queries/m-p/158671#M4758 <P>Hi,<BR /> for the first question: if you have field <STRONG>login</STRONG> or <STRONG>status</STRONG> that take "<STRONG>failed</STRONG>" as value, and <STRONG>user</STRONG> field; here is the query:</P> <PRE><CODE>index=... status=failed earliest=-30d latest=now|top limit=10 users|table user ... </CODE></PRE> <P>For the second, if you have region field, here is the query:</P> <PRE><CODE> index=... | stats avg(user) by region|table user avg(user) ... </CODE></PRE> Tue, 28 Apr 2015 01:41:52 GMT https://community.splunk.com/t5/Security/Authentication-Search-Queries/m-p/158671#M4758 NOUMSSI 2015-04-28T01:41:52Z