https://community.splunk.com/t5/Splunk-Search/Count-Consecutive-Failed-Logins-Events/m-p/394640#M114606 <P>Hi Sagar0511,<BR /> if you want all the failed login in a minute, you could use a search like this:</P> <PRE><CODE>index=wineventslog EventCode=4625 | stats values (Account_Name) AS Account_Name values(dest) AS dest values(ComputerName) AS ComputerName count </CODE></PRE> <P>If you want to know the login failed for each Account_Name you can add the clause BY at the end of the search</P> <PRE><CODE>index=wineventslog EventCode=4625 | stats values (Account_Name) AS Account_Name values(dest) AS dest values(ComputerName) AS ComputerName count BY Account_Name </CODE></PRE> <P>If instead a saccessful login resets the count you can use something like this:</P> <PRE><CODE>index=wineventslog EventCode=4624 OR EventCode=4625 | transaction startswith="EventCode=4625" endswith="EventCode=4624" | table Account_Name dest ComputerName eventcount </CODE></PRE> <P>If a saccessful login resets the count and you want the count for user you can use something like this</P> <PRE><CODE>index=wineventslog EventCode=4624 OR EventCode=4625 | transaction Account_Name startswith="EventCode=4625" endswith="EventCode=4624" | table Account_Name dest ComputerName eventcount </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Mon, 18 Jun 2018 13:31:21 GMT gcusello 2018-06-18T13:31:21Z https://community.splunk.com/t5/Splunk-Search/Count-Consecutive-Failed-Logins-Events/m-p/394639#M114605 <P>We have our test environment in which Splunk Enterprise OVA is installed as server and Windows server (with universal forwarder installed) which is client. From these windows server all the logs are forwarder. I want to find the the <STRONG>consecutive failed logins</STRONG> events within the time span of <STRONG>1 min</STRONG>. If a next event is successful logon in the middle of the failed logins, it should ignored. Each event has a field which tells whether it was success or failure.</P> <P>For Ex: I have tried using the below query.</P> <H2>1. index=wineventslog EventCode=4625 | eval Result=if((EventCode=4625), "FAILED", "SUCCESSFUL") | streamstats count time_window=1m | table Account_Name,Result,dest,ComputerName | dedup Account_Name</H2> <H2>2. index=wineventslog EventCode=4625 | streamstats count time_window=1m | table Account_Name,action,dest,ComputerName | dedup Account_Name</H2> <P>Any help to resolve this issue.<BR /> Thanks</P> Tue, 29 Sep 2020 20:04:38 GMT https://community.splunk.com/t5/Splunk-Search/Count-Consecutive-Failed-Logins-Events/m-p/394639#M114605 Sagar0511 2020-09-29T20:04:38Z https://community.splunk.com/t5/Splunk-Search/Count-Consecutive-Failed-Logins-Events/m-p/394640#M114606 <P>Hi Sagar0511,<BR /> if you want all the failed login in a minute, you could use a search like this:</P> <PRE><CODE>index=wineventslog EventCode=4625 | stats values (Account_Name) AS Account_Name values(dest) AS dest values(ComputerName) AS ComputerName count </CODE></PRE> <P>If you want to know the login failed for each Account_Name you can add the clause BY at the end of the search</P> <PRE><CODE>index=wineventslog EventCode=4625 | stats values (Account_Name) AS Account_Name values(dest) AS dest values(ComputerName) AS ComputerName count BY Account_Name </CODE></PRE> <P>If instead a saccessful login resets the count you can use something like this:</P> <PRE><CODE>index=wineventslog EventCode=4624 OR EventCode=4625 | transaction startswith="EventCode=4625" endswith="EventCode=4624" | table Account_Name dest ComputerName eventcount </CODE></PRE> <P>If a saccessful login resets the count and you want the count for user you can use something like this</P> <PRE><CODE>index=wineventslog EventCode=4624 OR EventCode=4625 | transaction Account_Name startswith="EventCode=4625" endswith="EventCode=4624" | table Account_Name dest ComputerName eventcount </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Mon, 18 Jun 2018 13:31:21 GMT https://community.splunk.com/t5/Splunk-Search/Count-Consecutive-Failed-Logins-Events/m-p/394640#M114606 gcusello 2018-06-18T13:31:21Z https://community.splunk.com/t5/Splunk-Search/Count-Consecutive-Failed-Logins-Events/m-p/394641#M114607 <P>above answer is not valid for consecutive failed attempts </P> Tue, 26 Jun 2018 12:04:41 GMT https://community.splunk.com/t5/Splunk-Search/Count-Consecutive-Failed-Logins-Events/m-p/394641#M114607 Rishabh_McKc 2018-06-26T12:04:41Z