Monitoring Splunk

Splunk success & fail Logins

kiran331
Builder

Hi

How can i get a report of Success and Fail Logins in Splunk Local accounts(not LDAP) for last 30 days?

Tags (2)
0 Karma
1 Solution

inventsekar
Super Champion
index=_audit tag=authentication | stats count by user, info | sort - info

this works fine, but it includes LDAP as well. let me check how to get only local accounts.
one more question - do you have both Local accounts and LDAP authentication together ah?!?!

View solution in original post

0 Karma

inventsekar
Super Champion
index=_audit tag=authentication | stats count by user, info | sort - info

this works fine, but it includes LDAP as well. let me check how to get only local accounts.
one more question - do you have both Local accounts and LDAP authentication together ah?!?!

View solution in original post

0 Karma

inventsekar
Super Champion

looks like source and sourcetype are audittrail. i hope this is same for LDAP and local users as well. please check it and update us(for those who uses LDAP only)
index=_audit source = audittrail sourcetype = audittrail

0 Karma

kiran331
Builder

Thank! It got both Ldap and local accounts

0 Karma