Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk success & fail Logins

kiran331
Builder
‎08-09-2016 08:00 AM

Hi

How can i get a report of Success and Fail Logins in Splunk Local accounts(not LDAP) for last 30 days?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
Super Champion
‎08-09-2016 08:52 AM 
index=_audit tag=authentication | stats count by user, info | sort - info

this works fine, but it includes LDAP as well. let me check how to get only local accounts.
one more question - do you have both Local accounts and LDAP authentication together ah?!?!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

inventsekar
Super Champion
‎08-09-2016 08:52 AM 
index=_audit tag=authentication | stats count by user, info | sort - info

this works fine, but it includes LDAP as well. let me check how to get only local accounts.
one more question - do you have both Local accounts and LDAP authentication together ah?!?!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

inventsekar
Super Champion
‎08-09-2016 09:01 AM

looks like source and sourcetype are audittrail. i hope this is same for LDAP and local users as well. please check it and update us(for those who uses LDAP only)
index=_audit source = audittrail sourcetype = audittrail

0 Karma
Reply
Solved! Jump to solution

kiran331
Builder
‎08-09-2016 09:03 AM

Thank! It got both Ldap and local accounts

0 Karma
Reply
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!

Get Updates on the Splunk Community!