Hi,

We currently have a standalone setup for Splunk and would like to receive alerts from Splunk when an account is locked out so that we may unlock the account manually. Company policy does not allow for auto-unlocking (health insurance sector) and users are often frustrated on when they get locked out.

Currently I have done the following:

• Set up Splunk Forwarder to our Splunk Web server from three of our domain controllers
• Created a dashboard from the Active Directory add-on and Windows Infrastructure App
• Created panels within that dashboard that are appropriate for this task
• Information/data is feeding through so that is not a problem

Problems:

• We want to get an alert everytime a user is locked out
• What we've done so far is used that same query that splunk auto provides within the dashboard and set up an alert from that, but everytime we do it, we get spammed via e-mail. We do a trigger per result.

We've done throttling too and it doesn't seem to work 100% as what if two people are locked out simultaneously? And what term do I put to throttle?

Does anyone have similar set ups to this?

Lastly, I've noticed that running this search job/alert job takes up a lot of resources in terms of "cleaning the dispatch logs"