https://community.splunk.com/t5/Monitoring-Splunk/Can-you-help-us-find-web-GUI-log-in-attempts-from-index-audit/m-p/442039#M3704 <P>i hope the <CODE>info=succeeded</CODE> is what you are looking for:<BR /> Audit:[timestamp=12-20-2018 12:15:38.921, user=user123, action=login attempt, <CODE>info=succeeded</CODE>, src=12.34.56.78][n/a]</P> <P><CODE>index="_audit" action=*login*</CODE></P> <P>my question on this same topic:<BR /> <A href="https://answers.splunk.com/answers/686177/is-there-a-splunk-account-lockout-for-users-if-you.html">https://answers.splunk.com/answers/686177/is-there-a-splunk-account-lockout-for-users-if-you.html</A></P> <P><EM>As you are a new user to Splunk Answers, you can upvote the answers/comments, <BR /> if this answer resolved your query, you can select this answer and "accept" it as the answer, so that this question will be moved to answered queue. Happy Splunking!</EM></P> Thu, 20 Dec 2018 08:55:52 GMT inventsekar 2018-12-20T08:55:52Z https://community.splunk.com/t5/Monitoring-Splunk/Can-you-help-us-find-web-GUI-log-in-attempts-from-index-audit/m-p/442038#M3703 <P>Hi,</P> <P>We're looking for web GUI log in attempts from index=_audit. Note that for event like following:</P> <P>Audit:<CODE>[timestamp=12-20-2018 12:15:38.921, user=user123, action=login attempt, info=succeeded, src=12.34.56.78][n/a]</CODE></P> <P>the "action" field is set to "success" instead of "login attempt". </P> <P>Was it set somewhere? Sorry for the newbie question.</P> <P>Thanks a lot.<BR /> Regards</P> <P>EDIT: removed the ip address</P> Thu, 20 Dec 2018 08:31:02 GMT https://community.splunk.com/t5/Monitoring-Splunk/Can-you-help-us-find-web-GUI-log-in-attempts-from-index-audit/m-p/442038#M3703 stwong 2018-12-20T08:31:02Z https://community.splunk.com/t5/Monitoring-Splunk/Can-you-help-us-find-web-GUI-log-in-attempts-from-index-audit/m-p/442039#M3704 <P>i hope the <CODE>info=succeeded</CODE> is what you are looking for:<BR /> Audit:[timestamp=12-20-2018 12:15:38.921, user=user123, action=login attempt, <CODE>info=succeeded</CODE>, src=12.34.56.78][n/a]</P> <P><CODE>index="_audit" action=*login*</CODE></P> <P>my question on this same topic:<BR /> <A href="https://answers.splunk.com/answers/686177/is-there-a-splunk-account-lockout-for-users-if-you.html">https://answers.splunk.com/answers/686177/is-there-a-splunk-account-lockout-for-users-if-you.html</A></P> <P><EM>As you are a new user to Splunk Answers, you can upvote the answers/comments, <BR /> if this answer resolved your query, you can select this answer and "accept" it as the answer, so that this question will be moved to answered queue. Happy Splunking!</EM></P> Thu, 20 Dec 2018 08:55:52 GMT https://community.splunk.com/t5/Monitoring-Splunk/Can-you-help-us-find-web-GUI-log-in-attempts-from-index-audit/m-p/442039#M3704 inventsekar 2018-12-20T08:55:52Z https://community.splunk.com/t5/Monitoring-Splunk/Can-you-help-us-find-web-GUI-log-in-attempts-from-index-audit/m-p/442040#M3705 <P>Hi, thanks for your help.<BR /> I'm just interest to know which configuration makes Splunk changed value of "action" into something different to that stated in the events... </P> Thu, 20 Dec 2018 10:23:54 GMT https://community.splunk.com/t5/Monitoring-Splunk/Can-you-help-us-find-web-GUI-log-in-attempts-from-index-audit/m-p/442040#M3705 stwong 2018-12-20T10:23:54Z https://community.splunk.com/t5/Monitoring-Splunk/Can-you-help-us-find-web-GUI-log-in-attempts-from-index-audit/m-p/442041#M3706 <P>Hi,</P> <P>could be that someone created a field extraction for audittrail to change the value to "success", since its not the default value.</P> <P>You should check that, for example in "All configurations" or you could <CODE>grep</CODE> on the UI in directory <CODE>$SPLUNK_HOME/etc/users</CODE> for the word <CODE>action</CODE> command: <CODE>grep -R action</CODE></P> Thu, 20 Dec 2018 10:39:25 GMT https://community.splunk.com/t5/Monitoring-Splunk/Can-you-help-us-find-web-GUI-log-in-attempts-from-index-audit/m-p/442041#M3706 dkeck 2018-12-20T10:39:25Z https://community.splunk.com/t5/Monitoring-Splunk/Can-you-help-us-find-web-GUI-log-in-attempts-from-index-audit/m-p/442042#M3707 <P><EM>I'm just interest to know which configuration makes Splunk changed value of "action" into something different to that stated in the events...</EM><BR /> i think there are no configurations. It is just the audit log format Splunk developers selected. </P> <P>there are only 2 choices:<BR /> action=login attempt, info=succeeded<BR /> action=login attempt, info=failed</P> Thu, 20 Dec 2018 12:41:17 GMT https://community.splunk.com/t5/Monitoring-Splunk/Can-you-help-us-find-web-GUI-log-in-attempts-from-index-audit/m-p/442042#M3707 inventsekar 2018-12-20T12:41:17Z https://community.splunk.com/t5/Monitoring-Splunk/Can-you-help-us-find-web-GUI-log-in-attempts-from-index-audit/m-p/442043#M3708 <P>Thanks and agree. But when expanding the event fields on web interfrace, we can see that the "action" attribute is set to "success", not "login attempt".</P> Thu, 20 Dec 2018 17:40:02 GMT https://community.splunk.com/t5/Monitoring-Splunk/Can-you-help-us-find-web-GUI-log-in-attempts-from-index-audit/m-p/442043#M3708 stwong 2018-12-20T17:40:02Z https://community.splunk.com/t5/Monitoring-Splunk/Can-you-help-us-find-web-GUI-log-in-attempts-from-index-audit/m-p/442044#M3709 <P>Thanks. Found that it's done by a transform in the CIM add-on $SPLUNKE_HOME/etc/apps/Splunk_SA_CIM/default/props.conf.</P> <P>Thanks a lot.</P> Tue, 29 Sep 2020 22:26:55 GMT https://community.splunk.com/t5/Monitoring-Splunk/Can-you-help-us-find-web-GUI-log-in-attempts-from-index-audit/m-p/442044#M3709 stwong 2020-09-29T22:26:55Z