Is there a way to search by failed logons to Splunk?
I'd like to create an alert if a user attempts to logon but is denied either because an account doesn't exist, wrong password, etc.
Has anyone else tried this?
Got it
index=_audit action=failure
or
index=_audit action=failure | stats count by _time,user,action
View solution in original post
For 6.2.3 below is the location , seems it is NOT logged under ' index=_audit action=failure'
index=_internal sourcetype=splunkd ERROR "Login failed"
Thank you, I used this to troubleshoot a user that said he couldn't login
