Hi @isin67,

Your questions are just a little not so defined!

Anyway, about the first question, on Splunk you can create every kind of alert: missing of a message or a system, presence of a message, you can define thresholds, etc...

in few words, you have only to exactly define your alerts requirements and using Splunk you can realize them.

Then you can generate the action you like: eMail, script execution, list, etc...

About the second question, you have to define where the authentication messages are generated, how to identify them and how to take them: e.g. in windows:

• the login events are stored in WinEventLog,
• they are defined with the EventCode (Login 4624, LogFail 4625, Logout 4634),
• you can take them using the Splunk Technical Add-On for Windows.

The third answer is the same of the second, you have to define where the authentication messages are generated, how to identify them and how to take them.

I think that you should follow some Splunk training to better understand how Splunk works, you could start from:

• Splunk Fundamentals I (free course at https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html)
• Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/WelcometotheSearchTutorial).

Then on YouTube you can find many introductive to Splunk videos.

If you could share more details, I could help you more.

Ciao.

Giuseppe