Splunk Gurus,
I am looking to build search that will identify any accounts that experience 5 failed login attempts within a 1 minute time span. The intent is to run a daily report highlight accounts with large amount of failures within a short period of time (potentially a bruteforce effort) for troubleshooting/customer service.
sourcetype=* result=FAILURE | table username, device, result, reason, src, "_time" | bucket _time span=1m | stats count by username, src | search count > 4
Have you tried eventstats? Like so:
sourcetype=* result=FAILURE | bucket _time span=1m | eventstats count by username, src | search count > 4 | table username device result reason src _time count
Have you tried eventstats? Like so:
sourcetype=* result=FAILURE | bucket _time span=1m | eventstats count by username, src | search count > 4 | table username device result reason src _time count
I can definitely build on this, and really appreciate the help!