https://community.splunk.com/t5/Splunk-Search/User-has-left-the-company-but-audit-shows-failed-logins-every-15/m-p/347896#M103014 <P>It turned out that there was a perl script attempting to use this person's login every 15 minutes to pull data. We are going to convert that functionality into a Splunk Alert.</P> Wed, 05 Apr 2017 18:02:42 GMT grittonc 2017-04-05T18:02:42Z https://community.splunk.com/t5/Splunk-Search/User-has-left-the-company-but-audit-shows-failed-logins-every-15/m-p/347892#M103010 <P>Hello everyone,</P> <P>I have inherited shared responsibility for a Splunk instance. We recently had a user departure, and one of the other Splunk admins changed that user's password so that they couldn't login.</P> <P>However, when I look in _audit I see that there is a failed login for that user exactly every 15 minutes around the clock. I fear that they left a shell script behind that is trying to login.</P> <P>How can I find out the source of these failed attempts? </P> Tue, 07 Mar 2017 21:04:24 GMT https://community.splunk.com/t5/Splunk-Search/User-has-left-the-company-but-audit-shows-failed-logins-every-15/m-p/347892#M103010 grittonc 2017-03-07T21:04:24Z https://community.splunk.com/t5/Splunk-Search/User-has-left-the-company-but-audit-shows-failed-logins-every-15/m-p/347893#M103011 <P>Check if there is any saved search owned by that user. That may have an alert action setup or something.</P> <PRE><CODE>| rest /servicesNS/DeparteUserNameHere/-/saved/searches splunk_server=local </CODE></PRE> Tue, 07 Mar 2017 21:14:54 GMT https://community.splunk.com/t5/Splunk-Search/User-has-left-the-company-but-audit-shows-failed-logins-every-15/m-p/347893#M103011 somesoni2 2017-03-07T21:14:54Z https://community.splunk.com/t5/Splunk-Search/User-has-left-the-company-but-audit-shows-failed-logins-every-15/m-p/347894#M103012 <P>Yeah this sounds like schedule search jobs more than anything.</P> Tue, 07 Mar 2017 21:31:30 GMT https://community.splunk.com/t5/Splunk-Search/User-has-left-the-company-but-audit-shows-failed-logins-every-15/m-p/347894#M103012 starcher 2017-03-07T21:31:30Z https://community.splunk.com/t5/Splunk-Search/User-has-left-the-company-but-audit-shows-failed-logins-every-15/m-p/347895#M103013 <P>You could go into Settings -&gt; All configurations in the gui and pick their username as the owner if they are still listed. That would find enough knowledge objects still owned by them to confirm this.</P> Tue, 07 Mar 2017 21:39:35 GMT https://community.splunk.com/t5/Splunk-Search/User-has-left-the-company-but-audit-shows-failed-logins-every-15/m-p/347895#M103013 starcher 2017-03-07T21:39:35Z https://community.splunk.com/t5/Splunk-Search/User-has-left-the-company-but-audit-shows-failed-logins-every-15/m-p/347896#M103014 <P>It turned out that there was a perl script attempting to use this person's login every 15 minutes to pull data. We are going to convert that functionality into a Splunk Alert.</P> Wed, 05 Apr 2017 18:02:42 GMT https://community.splunk.com/t5/Splunk-Search/User-has-left-the-company-but-audit-shows-failed-logins-every-15/m-p/347896#M103014 grittonc 2017-04-05T18:02:42Z https://community.splunk.com/t5/Splunk-Search/User-has-left-the-company-but-audit-shows-failed-logins-every-15/m-p/347897#M103015 <P>It wasn't a scheduled search inside splunk, but a script outside of splunk that was trying to log in. We found this out because someone remembered which script it was. </P> <P>If we didn't have this knowledge, does anyone know how I would have identified the script that was trying to use these credentials? </P> Wed, 05 Apr 2017 18:04:46 GMT https://community.splunk.com/t5/Splunk-Search/User-has-left-the-company-but-audit-shows-failed-logins-every-15/m-p/347897#M103015 grittonc 2017-04-05T18:04:46Z