Alerting

What is the best way to trigger an alert when more than one user gets locked out on one machine?

cyber2016
New Member

What is the best way to trigger an alert based on multiple failed attempts from one machine?
For example: I want an alert when on one machine, more than one user gets locked out.

I tried | stats count by host, user, but it gives me all locked attempts.

0 Karma
1 Solution

javiergn
Super Champion

If you want distinct users then use dc:

your base search
| stats dc(user) as distinct_users, values(user) as users by host
| where distinct_users > 1

View solution in original post

0 Karma

javiergn
Super Champion

If you want distinct users then use dc:

your base search
| stats dc(user) as distinct_users, values(user) as users by host
| where distinct_users > 1
0 Karma

cyber2016
New Member

something is wrong with this query. I am getting error: in 'stats' command: the output field 'distinct_users' cannot have the same name as a group-by field

0 Karma

javiergn
Super Champion

Are you also trying to group by users?
Can you post your full query here?

0 Karma

cyber2016
New Member

it is fine, I found the problem, thanks for help

0 Karma
Get Updates on the Splunk Community!

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...