Creating an alert to find fail login within 15 minutes with a hit of higher than 3 times?


Hi guys,

I need to create this alert that will fetch failed logins that happen more than 3 times within 15 minutes and display the results as user and the number of events per that user.

I am thinking using something like:

index=indexName eventtype="failed_logins" | bucket _time span=15m


index=indexName eventtype="failed_logins" | tranactions <something?> maxspan=15m

Anyone experts can give me some guide?

Tags (2)
0 Karma


Hello! Here you go

index=indexName eventtype="failed_logins" |stats count 

Save it as an Alert!

Title: Failed_alert
Alert Type: Real Time
Trigger Condition: Number of Results
Trigger if Number of Results is : Greater than 3
in : 15 min

For more information, Read here :


0 Karma


hi normangoh,
write your query

 index=indexName eventtype="failed_logins" 

and backup simply as an alert with the following characteristics:
alt text

when your research to see all the results, you can use the following query:

 index = indexName eventType = "failed_logins" user = * |table  user  _raw
0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...