We have our test environment in which Splunk Enterprise OVA is installed as server and Windows server (with universal forwarder installed) which is client. From these windows server all the logs are forwarder. I want to find the the consecutive failed logins events within the time span of 1 min. If a next event is successful logon in the middle of the failed logins, it should ignored. Each event has a field which tells whether it was success or failure.