Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

capturing windows failed login

npandith
Explorer
‎03-27-2011 06:30 AM

I have been trying with the below query to capture the failed login attempts made on the windows servers.

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR EventCode="529" OR EventCode="531" eval User_Name=coalesce(User_Name,Account_Name) | stats count,list(User_Name)by host

But the above query will give output as below-

host count list(User_Name)

dc1server01 1 john john

It says count as 1 but in the list it gives username twice(john). I used dedup but i still i am not able to fix the issue.

Can anyone please let me know the solution for this?

0 Karma
Reply

I-Man
Communicator
‎03-28-2011 02:06 PM

Hey,

Can you post what your actual logs look like? I wrote the same report but used mvindex instead of coalesce as i was having an issue where the Account name field was listed more than once and i had to specify which one i needed.

It looks like you are trying to combine two fields into one using coalesce. Try using case instead, example:

eval UserName=case(k8cname!="", k8cname, User_Name!="", User_Name)

This takes field k8cname and User_Name and combines them into one field UserName. A little roundabout but works.

I-Man

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...