https://community.splunk.com/t5/Splunk-Search/SPL-Query-Error/m-p/705442#M238843 <P>I am trying to write an spl query to detect an event of a single source IP address&nbsp; or a user fails multiple time to login to multiple accounts.</P><P>can anyone help me write it.</P> Wed, 27 Nov 2024 21:12:32 GMT adoumbia 2024-11-27T21:12:32Z https://community.splunk.com/t5/Splunk-Search/SPL-Query-Error/m-p/705442#M238843 <P>I am trying to write an spl query to detect an event of a single source IP address&nbsp; or a user fails multiple time to login to multiple accounts.</P><P>can anyone help me write it.</P> Wed, 27 Nov 2024 21:12:32 GMT https://community.splunk.com/t5/Splunk-Search/SPL-Query-Error/m-p/705442#M238843 adoumbia 2024-11-27T21:12:32Z https://community.splunk.com/t5/Splunk-Search/SPL-Query-Error/m-p/705444#M238845 <P>Please share some sample anonymised events so that we can see what you are dealing with. Please explain which parts of the events are important for what you are trying to discover. Please share what you would like the results to look like. Without this type of information, we are reduced to attempting to read your mind (and my mind-reading license has been revoked after the unfortunate incident with the estate agent!)</P> Wed, 27 Nov 2024 21:18:14 GMT https://community.splunk.com/t5/Splunk-Search/SPL-Query-Error/m-p/705444#M238845 ITWhisperer 2024-11-27T21:18:14Z https://community.splunk.com/t5/Splunk-Search/SPL-Query-Error/m-p/705445#M238846 <P>i want to find out which IP address, hostname or username has failed multiple time to login to multiple accounts.<BR />I am trying to detect brute force attack.</P> Wed, 27 Nov 2024 21:33:23 GMT https://community.splunk.com/t5/Splunk-Search/SPL-Query-Error/m-p/705445#M238846 adoumbia 2024-11-27T21:33:23Z https://community.splunk.com/t5/Splunk-Search/SPL-Query-Error/m-p/705450#M238847 <P><SPAN>Please share some sample anonymised events so that we can see what you are dealing with. Please explain which parts of the events are important for what you are trying to discover. Please share what you would like the results to look like. Without this type of information, we are reduced to attempting to read your mind (and my mind-reading license has been revoked after the unfortunate incident with the estate agent!)</SPAN></P> Wed, 27 Nov 2024 21:44:13 GMT https://community.splunk.com/t5/Splunk-Search/SPL-Query-Error/m-p/705450#M238847 ITWhisperer 2024-11-27T21:44:13Z https://community.splunk.com/t5/Splunk-Search/SPL-Query-Error/m-p/705468#M238849 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232033">@adoumbia</a>&nbsp;,</P><P>as&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;said, it's really difficoult to help you without knowing the events to apply the search.</P><P>Anyway, if you need a brute force attack sample search, you can see in the Splunk Security Essentials App (&nbsp;<A href="https://splunkbase.splunk.com/app/3435" target="_blank">https://splunkbase.splunk.com/app/3435</A>&nbsp;) where you can find what you're searching and many other Security Use Cases.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 28 Nov 2024 07:48:23 GMT https://community.splunk.com/t5/Splunk-Search/SPL-Query-Error/m-p/705468#M238849 gcusello 2024-11-28T07:48:23Z