Im new to splunk ,
I created 15 users and had failed login attempts on some of them.
how can i find the first 10 failed login attempts,with what command can i see this in splunk
sourcetype="WinEventLog:Security" eventcode 4625| top limit=10 "Account Name"
I tried it brought all users but how do I integrate the failed part into it, am I walking on the wrong path?
Here is your SPL query, let me know if it works for you.
index=wineventlog sourcetype="Wineventlog:Security" EventCode=4625 OR EventCode=529 Account_Name!="" | stats count by Account_Name | sort -count | head 10
Event code 529 to capture failure events from Win 2003 or older versions
Account_Name!="<put value which doesn't make any sense to you like blank/- etc>
head 10 - for top 10 results.
Hope this helps and happy Splunking!
You're on the right path.
The event should have a field that indicates if the login succeeded or failed. Test that field in your query to include only failures. You'll need to remove the top command to see the full event.
The query may end up looking something like this:
sourcetype="WinEventLog" EventCode=4625 index=wineventlog action=failure
| top limit=10 Account_Name