https://community.splunk.com/t5/Alerting/Create-alert-for-5-failed-authentications-for-any-single-user/m-p/514526#M9494 <P>The field for the sourcetype is "user", so your solution works for me perfectly. Thank you!</P> Mon, 17 Aug 2020 19:33:16 GMT clwboscovs 2020-08-17T19:33:16Z https://community.splunk.com/t5/Alerting/Create-alert-for-5-failed-authentications-for-any-single-user/m-p/514500#M9491 <P>I want to create an alert that monitors 5+ authentication failures for VPN login within an hour, but I'm not sure how to get the alert to monitor for 5+ failures for any single user.</P><P>Here's an example log:</P><P><SPAN>[</SPAN><SPAN class="t"><SPAN class="t h">2020-08</SPAN>-17</SPAN> <SPAN class="t">11:40:10</SPAN><SPAN>,</SPAN><SPAN class="t">550</SPAN><SPAN>] [</SPAN><SPAN class="t">IG</SPAN> <SPAN class="t">Audit</SPAN> <SPAN class="t">Writer</SPAN><SPAN>] [</SPAN><SPAN class="t">INFO</SPAN><SPAN> ] [</SPAN><SPAN class="t">IG.AUDIT</SPAN><SPAN>] [</SPAN><SPAN class="t">AUD7505</SPAN><SPAN>] [</SPAN><SPAN class="t">VPN_AD_Group/user</SPAN><SPAN>] </SPAN><SPAN class="t">The</SPAN> <SPAN class="t">Radius</SPAN> <SPAN class="t">server</SPAN> <SPAN class="t">ise_servers</SPAN> <SPAN class="t">rejected</SPAN> <SPAN class="t">authentication</SPAN> <SPAN class="t">for</SPAN> <SPAN class="t">user</SPAN> <SPAN class="t">VPN_AD_Group/user.</SPAN></P> Mon, 17 Aug 2020 16:58:39 GMT https://community.splunk.com/t5/Alerting/Create-alert-for-5-failed-authentications-for-any-single-user/m-p/514500#M9491 clwboscovs 2020-08-17T16:58:39Z https://community.splunk.com/t5/Alerting/Create-alert-for-5-failed-authentications-for-any-single-user/m-p/514521#M9492 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/65847">@clwboscovs</a>&nbsp;<BR /><BR />Could you please tell me what is the user name in your log?<BR />And is it already the user name is extracted into any field?<BR /><BR /><BR /></P><LI-CODE lang="markup">index=&lt;your index&gt; sourcetype=&lt;your sourcetype&gt; "The Radius server ise_servers rejected authentication" | stats count by user | where count &gt; 5</LI-CODE><P>&nbsp;</P> Mon, 17 Aug 2020 19:26:32 GMT https://community.splunk.com/t5/Alerting/Create-alert-for-5-failed-authentications-for-any-single-user/m-p/514521#M9492 impurush 2020-08-17T19:26:32Z https://community.splunk.com/t5/Alerting/Create-alert-for-5-failed-authentications-for-any-single-user/m-p/514522#M9493 <LI-CODE lang="markup">index=yourindex rejected authentication | rex "\s(?&lt;user&gt;[\w\/]+)\.$" | stats count by user | where count &gt; 5</LI-CODE> Mon, 17 Aug 2020 19:26:52 GMT https://community.splunk.com/t5/Alerting/Create-alert-for-5-failed-authentications-for-any-single-user/m-p/514522#M9493 thambisetty 2020-08-17T19:26:52Z https://community.splunk.com/t5/Alerting/Create-alert-for-5-failed-authentications-for-any-single-user/m-p/514526#M9494 <P>The field for the sourcetype is "user", so your solution works for me perfectly. Thank you!</P> Mon, 17 Aug 2020 19:33:16 GMT https://community.splunk.com/t5/Alerting/Create-alert-for-5-failed-authentications-for-any-single-user/m-p/514526#M9494 clwboscovs 2020-08-17T19:33:16Z