https://community.splunk.com/t5/Splunk-Search/Nutanix/m-p/558376#M158609 <P>Hi All,</P><P>We configured logs of a nutanix cluster to be pushed to splunk.&nbsp;</P><P>Inside splunk, I can see logs that shows that [An unsuccessful login attempt was made with username: xxx]</P><P><SPAN>&nbsp;How can I churn this out to a report. I am kind of lost where on how to start.</SPAN></P><P>&nbsp;</P><P><SPAN>Can someone please explain or guide me along?</SPAN></P><P><SPAN>Thank You</SPAN></P><P><SPAN>Regards,</SPAN></P><P><SPAN>Alex</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P> Tue, 06 Jul 2021 09:46:16 GMT splunknewbie81 2021-07-06T09:46:16Z https://community.splunk.com/t5/Splunk-Search/Nutanix/m-p/558376#M158609 <P>Hi All,</P><P>We configured logs of a nutanix cluster to be pushed to splunk.&nbsp;</P><P>Inside splunk, I can see logs that shows that [An unsuccessful login attempt was made with username: xxx]</P><P><SPAN>&nbsp;How can I churn this out to a report. I am kind of lost where on how to start.</SPAN></P><P>&nbsp;</P><P><SPAN>Can someone please explain or guide me along?</SPAN></P><P><SPAN>Thank You</SPAN></P><P><SPAN>Regards,</SPAN></P><P><SPAN>Alex</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P> Tue, 06 Jul 2021 09:46:16 GMT https://community.splunk.com/t5/Splunk-Search/Nutanix/m-p/558376#M158609 splunknewbie81 2021-07-06T09:46:16Z https://community.splunk.com/t5/Splunk-Search/Nutanix/m-p/558378#M158610 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236088">@splunknewbie81</a>,</P><P>at first, you have to study the eventtypes of your logs: e.g. if the condition for the logfail event of nutanix is only "<SPAN>An unsuccessful login attempt was made", you could create and save an eventtype like this</SPAN>:</P><LI-CODE lang="markup">index=nutanix "An unsuccessful login attempt was made"</LI-CODE><P>I don't know if there are other conditions but you have the knowledge of Nutanix to find all the conditions!</P><P>Remember that to make a search in Splunk 70% of the job is to know what to search and 30% is to build the search in Splunk!</P><P>So e.g. if you have to find the condition for the logfail in windows you have to take events with EvenCode=4625, 4771, 537, 536, 539, 531, etc...</P><P>Coming back to your search, when you identified the logfail condition, you have to extract the interesting fields: if you have a pair fieldname=fieldvalue, Splunk automatically extract the field, otherwise you have to manually extract it using a regex, in your case, something like this:</P><LI-CODE lang="markup">| rex "An unsuccessful login attempt was made with username: (?&lt;user&gt;\w+)"</LI-CODE><P>Then you have to create your table, e.g. displaying all logfails:</P><LI-CODE lang="markup">index=nutanix "An unsuccessful login attempt was made" | rex "An unsuccessful login attempt was made with username: (?&lt;user&gt;\w+)" | table _time user</LI-CODE><P>If otherwise you want the number of logfails for each user, you could run something like this:</P><LI-CODE lang="markup">index=nutanix "An unsuccessful login attempt was made" | rex "An unsuccessful login attempt was made with username: (?&lt;user&gt;\w+)" | stats count BY user</LI-CODE><P>You can enrich your search in many ways, but I hint to follow the Search Tutorial for this (<A href="https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchTutorial/WelcometotheSearchTutorial" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchTutorial/WelcometotheSearchTutorial</A>) or splunk training or videos on YouTube.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 06 Jul 2021 10:10:28 GMT https://community.splunk.com/t5/Splunk-Search/Nutanix/m-p/558378#M158610 gcusello 2021-07-06T10:10:28Z