- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
peasead
Path Finder
08-08-2012
09:33 AM
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
peasead
Path Finder
08-08-2012
09:55 AM
Got it
index=_audit action=failure
or
index=_audit action=failure | stats count by _time,user,action
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
peasead
Path Finder
08-08-2012
09:55 AM
Got it
index=_audit action=failure
or
index=_audit action=failure | stats count by _time,user,action
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

stanwin
Contributor
01-04-2016
08:08 AM
For 6.2.3 below is the location , seems it is NOT logged under ' index=_audit action=failure'
index=_internal sourcetype=splunkd ERROR "Login failed"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

earlhelms
Path Finder
09-30-2016
11:46 AM
Thank you, I used this to troubleshoot a user that said he couldn't login
