We were using an old version of Splunk (ver 5) and have since updated to the ver 6.2.4 and now our failed login attempts search string no longer works and I can't figure out why. Here is what we have:
source="WinSecurity" "EventCode=4776" AND "Audit Failure" NOT (Logon_Account="*$" OR Logon_account="*$") | eval "User_Account" = coalesce(Logon_Account,Logon_account) | stats count by User_Account |sort 20 -count | search count > 15
We have several domain controllers and used to get all of the logs. Now I get nothing and it was working before. The only thing I think I see is that there is no longer a field called User_Account. I have played around with it, but it won't show me the search count by user anymore. What am I doing wrong? Thanks Keith
Do you get any result after just putting :
If not please that means you need to provide an index name.
Refer this - http://answers.splunk.com/answers/71694/search-without-index-not-working.html
Yes I get 6K results, but I want to see just the ones that are over 15 times in a hr
add as - for hourly buckets
|bucket _time span=1h |
Also if this filed is not available "User_Account", on which field do you want the stats to run?
The inputs.conf format for Windows eventlogs changed from splunk v5 to splunk v6. Did you uprade the version of the UF on your domain controller? If so, you'll have to use the new inputs.conf format on them which is included in the newest SplunkTAwindows.