https://community.splunk.com/t5/Splunk-Search/Failed-Logins/m-p/145625#M185180 <P>Thanks a lot for reply.<BR /> Q: are you search the correct index? <BR /> A: Yes<BR /> Q: do you have permission to search the correct index? <BR /> A: I am the administrator of our Splunk. <BR /> Q: beside the time range you've selected, is the time zone for this event maybe in an other time range? <BR /> A: I have selected different time ranges in this.<BR /> Q: can you find anything if you search for the user id in question? <BR /> A: I did not understand this.<BR /> Q: is the log/eventlog being picked up by Splunk so you have the events indexed after all? <BR /> A: Yes<BR /> Q: is the UF, which should pick up the upper mentioned events, running? <BR /> A: Yes</P> Wed, 30 Apr 2014 05:08:41 GMT udayk1 2014-04-30T05:08:41Z https://community.splunk.com/t5/Splunk-Search/Failed-Logins/m-p/145623#M185178 <P>I am observing the failed logins of a user and it is getting locked quite frequently morning between 01:30 AM to 02:30 AM, could not find the reason and if we trying to retrieve the logs from splunk regarding the failed logins we are not able to get the relevant logs, this is the query which I am executing please let me know if any other query we can put. I am just searching <EM>failed</EM> for last 24hours. But no response. </P> <P>We are receiving the failed logins of all the other user IDs.</P> Tue, 29 Apr 2014 07:07:34 GMT https://community.splunk.com/t5/Splunk-Search/Failed-Logins/m-p/145623#M185178 udayk1 2014-04-29T07:07:34Z https://community.splunk.com/t5/Splunk-Search/Failed-Logins/m-p/145624#M185179 <P>Hi udayk1,</P> <P>well, there could be many reasons for events not showing up...here are some basic checks for you:</P> <UL> <LI>are you search the correct index? </LI> <LI>do you have permission to search the correct index?</LI> <LI>beside the time range you've selected, is the time zone for this event maybe in an other time range?</LI> <LI>can you find anything if you search for the user id in question?</LI> <LI>is the log/eventlog being picked up by Splunk so you have the events indexed after all?</LI> <LI>is the UF, which should pick up the upper mentioned events, running?</LI> </UL> <P>hope this helps ...</P> <P>cheers, MuS</P> Tue, 29 Apr 2014 07:57:27 GMT https://community.splunk.com/t5/Splunk-Search/Failed-Logins/m-p/145624#M185179 MuS 2014-04-29T07:57:27Z https://community.splunk.com/t5/Splunk-Search/Failed-Logins/m-p/145625#M185180 <P>Thanks a lot for reply.<BR /> Q: are you search the correct index? <BR /> A: Yes<BR /> Q: do you have permission to search the correct index? <BR /> A: I am the administrator of our Splunk. <BR /> Q: beside the time range you've selected, is the time zone for this event maybe in an other time range? <BR /> A: I have selected different time ranges in this.<BR /> Q: can you find anything if you search for the user id in question? <BR /> A: I did not understand this.<BR /> Q: is the log/eventlog being picked up by Splunk so you have the events indexed after all? <BR /> A: Yes<BR /> Q: is the UF, which should pick up the upper mentioned events, running? <BR /> A: Yes</P> Wed, 30 Apr 2014 05:08:41 GMT https://community.splunk.com/t5/Splunk-Search/Failed-Logins/m-p/145625#M185180 udayk1 2014-04-30T05:08:41Z https://community.splunk.com/t5/Splunk-Search/Failed-Logins/m-p/145626#M185181 <P>so, you get some results for your search but not if you search for <CODE>failed</CODE> is that correct? Have you checked if you get the <CODE>failed</CODE>message in the source which is read by Splunk?</P> Wed, 30 Apr 2014 05:14:28 GMT https://community.splunk.com/t5/Splunk-Search/Failed-Logins/m-p/145626#M185181 MuS 2014-04-30T05:14:28Z