Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I edit my search to display users with more than 2 login failures on a server?

syks
New Member
‎12-16-2015 02:59 AM

I am trying to craft a search which will display the users who have failed logins more than 2 times against a server.

Below is the search I am using. Need help to include the "greater than 2 events" search.....

sourcetype=wineventlog:security action=failure Source_Network_Address="x.x.x.x" user!=*$ | eval hostname=case(Source_Network_Address == "x.x.x.x", "YYYY") |stats c as "Event Count" values(signature) as "Login Message"  values(hostname) as "Source" min(_time) as start max(_time) as  stop by user, action | convert ctime(start) | convert ctime(stop)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-16-2015 05:23 AM

Have you tried adding this to your search?

... | where "Event Count" > 2
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...