https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/413001#M119053 <P>sure thing !<BR /> You will have to turn the first query :</P> <PRE><CODE> user=index="......" source type= "........" user= "abcd113" Event Code=4625 | eval hourDay=strftime(_time,"%y-%m-%d %H:00") | stats count by user,hourDay | where count &gt;6 | fields - hourDay </CODE></PRE> <P>Into this :</P> <PRE><CODE> user=index="......" source type= "........" user= "abcd113" Event Code=4625 | eval hourDay=strftime(_time,"%y-%m-%d %H:00") | stats count, values(Account_Name) as Account_Name, values(Account_Domain) as Account_Domain, values(Event Code) as Event Code, last(_time) as timestamp by user, hourDay | where count &gt;6 | fields - hourDay </CODE></PRE> <P>You can add as many <CODE>values</CODE>field as you want and make sure you're keeping user and hourDay behind the <CODE>by</CODE>.</P> Wed, 12 Jun 2019 11:16:05 GMT DavidHourani 2019-06-12T11:16:05Z https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/412993#M119045 <P>Hi Team,<BR /> I would like to find out user failed login attempts which are greater than 6 times and those 6 failed login attempts happened within 1hr timestamp even if we keep any time range in time range picker.</P> <P>eg: <CODE>user=index="......" source type= "........" user= "abcd113" Event Code=4625</CODE> </P> <P>so, on the basis my search criteria let me know how to find out failed attempts within one-hour time stamp which are greater than 6 times from last 30 days or 24 hours or 7 days at any time range.</P> Tue, 11 Jun 2019 14:23:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/412993#M119045 90509 2019-06-11T14:23:24Z https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/412994#M119046 <P>Hi @90509,</P> <P>You can do that by simply adding an "hour" field and then hidding it, like this :</P> <PRE><CODE>user=index="......" source type= "........" user= "abcd113" Event Code=4625 | eval hourDay=strftime(_time,"%y-%m-%d %H:00") | stats count by user,hourDay | where count &gt;6 | fields - hourDay </CODE></PRE> <P>Or use <CODE>bin</CODE> command if your comfortable with that :</P> <PRE><CODE> user=index="......" source type= "........" user= "abcd113" Event Code=4625 | bin _time span=1h | stats count by user,_time | where count &gt;6 | fields - _time </CODE></PRE> <P>Let me know if that helps.</P> <P>Cheers,<BR /> David</P> Tue, 11 Jun 2019 14:44:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/412994#M119046 DavidHourani 2019-06-11T14:44:46Z https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/412995#M119047 <P>Hi @90509, Try this search:</P> <PRE><CODE>&lt;search to find events, specify index and sorucetype and event code, so...&gt; | bin span=1h _time | stats count by user, _time | where count&gt;6 </CODE></PRE> <P>This query will give user if any has tried failed login more than 6 times in 1 hour of time span.</P> <P>Hope this helps!!!</P> Tue, 11 Jun 2019 14:49:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/412995#M119047 VatsalJagani 2019-06-11T14:49:22Z https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/412996#M119048 <P>Start here and see if this helps. <A href="https://gosplunk.com/detect-username-guessing-brute-force-attacks/">https://gosplunk.com/detect-username-guessing-brute-force-attacks/</A></P> Wed, 12 Jun 2019 04:38:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/412996#M119048 mlulmer 2019-06-12T04:38:41Z https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/412997#M119049 <P>Thanks to All for your support.</P> Wed, 12 Jun 2019 10:51:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/412997#M119049 90509 2019-06-12T10:51:53Z https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/412998#M119050 <P>Thanks David for your great support !!</P> Wed, 12 Jun 2019 10:52:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/412998#M119050 90509 2019-06-12T10:52:18Z https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/412999#M119051 <P>most welcome ! Please up-vote and accept if it worked for you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Wed, 12 Jun 2019 10:56:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/412999#M119051 DavidHourani 2019-06-12T10:56:38Z https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/413000#M119052 <P>David I need to add fields like Event Code, Timestamp(_time), user, Account_Name, Account_Domain basis on above condition. so , could you please help me how to do it.</P> Wed, 30 Sep 2020 00:51:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/413000#M119052 90509 2020-09-30T00:51:23Z https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/413001#M119053 <P>sure thing !<BR /> You will have to turn the first query :</P> <PRE><CODE> user=index="......" source type= "........" user= "abcd113" Event Code=4625 | eval hourDay=strftime(_time,"%y-%m-%d %H:00") | stats count by user,hourDay | where count &gt;6 | fields - hourDay </CODE></PRE> <P>Into this :</P> <PRE><CODE> user=index="......" source type= "........" user= "abcd113" Event Code=4625 | eval hourDay=strftime(_time,"%y-%m-%d %H:00") | stats count, values(Account_Name) as Account_Name, values(Account_Domain) as Account_Domain, values(Event Code) as Event Code, last(_time) as timestamp by user, hourDay | where count &gt;6 | fields - hourDay </CODE></PRE> <P>You can add as many <CODE>values</CODE>field as you want and make sure you're keeping user and hourDay behind the <CODE>by</CODE>.</P> Wed, 12 Jun 2019 11:16:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/413001#M119053 DavidHourani 2019-06-12T11:16:05Z https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/413002#M119054 <P>Please do some assistance The above search working absolutely perfect but I need to fetch only high events data NOT low events data how to add that condition.</P> <P>how could we know whether the high events are not coming into splunk from which date?</P> <P>index="......" source type= "........" user= "abcd113" Event Code=4625 OR Event Code=4720 OR Event Code=4722 OR Event Code=4738<BR /> | bin _time span=1h <BR /> | stats count by user, _time <BR /> | where count &gt;6 <BR /> | fields - _time</P> <P>here I need to fetch high events data and how find high events are not coming from which date into splunk?</P> Wed, 12 Jun 2019 15:12:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-out-falied-login-attempts-EventCode-4625-which-are/m-p/413002#M119054 90509 2019-06-12T15:12:21Z