Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

capturing windows failed login

npandith
Explorer
‎03-27-2011 06:30 AM

I have been trying with the below query to capture the failed login attempts made on the windows servers.

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR EventCode="529" OR EventCode="531" eval User_Name=coalesce(User_Name,Account_Name) | stats count,list(User_Name)by host

But the above query will give output as below-

host count list(User_Name)

dc1server01 1 john john

It says count as 1 but in the list it gives username twice(john). I used dedup but i still i am not able to fix the issue.

Can anyone please let me know the solution for this?

0 Karma
Reply

I-Man
Communicator
‎03-28-2011 02:06 PM

Hey,

Can you post what your actual logs look like? I wrote the same report but used mvindex instead of coalesce as i was having an issue where the Account name field was listed more than once and i had to specify which one i needed.

It looks like you are trying to combine two fields into one using coalesce. Try using case instead, example:

eval UserName=case(k8cname!="", k8cname, User_Name!="", User_Name)

This takes field k8cname and User_Name and combines them into one field UserName. A little roundabout but works.

I-Man

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...