Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Count Consecutive Failed Logins Events

Sagar0511
Explorer
‎06-18-2018 06:07 AM

We have our test environment in which Splunk Enterprise OVA is installed as server and Windows server (with universal forwarder installed) which is client. From these windows server all the logs are forwarder. I want to find the the consecutive failed logins events within the time span of 1 min. If a next event is successful logon in the middle of the failed logins, it should ignored. Each event has a field which tells whether it was success or failure.

For Ex: I have tried using the below query.

1. index=wineventslog EventCode=4625 | eval Result=if((EventCode=4625), "FAILED", "SUCCESSFUL") | streamstats count time_window=1m | table Account_Name,Result,dest,ComputerName | dedup Account_Name

2. index=wineventslog EventCode=4625 | streamstats count time_window=1m | table Account_Name,action,dest,ComputerName | dedup Account_Name

Any help to resolve this issue.
Thanks

Reply

Rishabh_McKc
Explorer
‎06-26-2018 05:04 AM

above answer is not valid for consecutive failed attempts

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-18-2018 06:31 AM

Hi Sagar0511,
if you want all the failed login in a minute, you could use a search like this:

index=wineventslog EventCode=4625 
| stats values (Account_Name) AS Account_Name values(dest) AS dest values(ComputerName) AS ComputerName count

If you want to know the login failed for each Account_Name you can add the clause BY at the end of the search

index=wineventslog EventCode=4625 
| stats values (Account_Name) AS Account_Name values(dest) AS dest values(ComputerName) AS ComputerName count BY Account_Name

If instead a saccessful login resets the count you can use something like this:

index=wineventslog EventCode=4624 OR EventCode=4625 
| transaction startswith="EventCode=4625" endswith="EventCode=4624"
| table Account_Name dest ComputerName eventcount

If a saccessful login resets the count and you want the count for user you can use something like this

index=wineventslog EventCode=4624 OR EventCode=4625 
| transaction Account_Name startswith="EventCode=4625" endswith="EventCode=4624"
| table Account_Name dest ComputerName eventcount

Bye.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...