Creating an alert to find fail login within 15 minutes with a hit of higher than 3 times?


Hi guys,

I need to create this alert that will fetch failed logins that happen more than 3 times within 15 minutes and display the results as user and the number of events per that user.

I am thinking using something like:

index=indexName eventtype="failed_logins" | bucket _time span=15m


index=indexName eventtype="failed_logins" | tranactions <something?> maxspan=15m

Anyone experts can give me some guide?

Tags (2)
0 Karma


Hello! Here you go

index=indexName eventtype="failed_logins" |stats count 

Save it as an Alert!

Title: Failed_alert
Alert Type: Real Time
Trigger Condition: Number of Results
Trigger if Number of Results is : Greater than 3
in : 15 min

For more information, Read here :


0 Karma


hi normangoh,
write your query

 index=indexName eventtype="failed_logins" 

and backup simply as an alert with the following characteristics:
alt text

when your research to see all the results, you can use the following query:

 index = indexName eventType = "failed_logins" user = * |table  user  _raw
0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...