We are using a basic use case to test two methods to do event correlation in Splunk.

Method 1 Regex:

(eventtype="Logon_Success" OR eventtype="Failed_Logins")|stats list(eventtype) as list by Account_Name|eval  list = mvjoin(list, " ")|eval alert = if(match(list,"((Failed_Logins.*){3,}?)(Logon_Success\s?)"),"True","False")|search alert="True"

Method 2:
Step 1: Create Active List similar to ArcSight (list that accumulates events)

(eventtype="Failed_Logins")|eval last_seen = now()| inputlookup append=t mylist| table Account_Name, EventCode, eventtype, _time, last_seen| eval now = now()|eval ttl = 3600 * 24| where (now - last_seen) < ttl |table Account_Name, EventCode, eventtype, _time, last_seen, now, ttl| outputlookup mylist.csv

Step 2: Refer to lookup list to trigger alert

sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=528 OR EventCode=540
|stats count by Account_Name
|eval state="Sucess"
|append [inputlookup mylist.csv|stats count by Account_Name| where count >=3 | eval state="Failed"]

Question: I am having difficulty on this step. How do you trigger an alert with 3 failed logins (this event happens first) followed by a successful login? I find the inputlookup command limiting.

Any suggestions or other methods is also appreciated.

Thank you.