Getting Data In

capturing windows failed login


I have been trying with the below query to capture the failed login attempts made on the windows servers.

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR EventCode="529" OR EventCode="531" eval User_Name=coalesce(User_Name,Account_Name) | stats count,list(User_Name)by host

But the above query will give output as below-

host count list(User_Name)

dc1server01 1 john john

It says count as 1 but in the list it gives username twice(john). I used dedup but i still i am not able to fix the issue.

Can anyone please let me know the solution for this?

0 Karma



Can you post what your actual logs look like? I wrote the same report but used mvindex instead of coalesce as i was having an issue where the Account name field was listed more than once and i had to specify which one i needed.

It looks like you are trying to combine two fields into one using coalesce. Try using case instead, example:

eval UserName=case(k8cname!="", k8cname, User_Name!="", User_Name)

This takes field k8cname and User_Name and combines them into one field UserName. A little roundabout but works.


0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...