Splunk Search
Highlighted

How do I edit my search to display users with more than 2 login failures on a server?

New Member

I am trying to craft a search which will display the users who have failed logins more than 2 times against a server.

Below is the search I am using. Need help to include the "greater than 2 events" search.....

sourcetype=wineventlog:security action=failure Source_Network_Address="x.x.x.x" user!=*$ | eval hostname=case(Source_Network_Address == "x.x.x.x", "YYYY") |stats c as "Event Count" values(signature) as "Login Message"  values(hostname) as "Source" min(_time) as start max(_time) as  stop by user, action | convert ctime(start) | convert ctime(stop)
0 Karma
Highlighted

Re: How do I edit my search to display users with more than 2 login failures on a server?

SplunkTrust
SplunkTrust

Have you tried adding this to your search?

... | where "Event Count" > 2
0 Karma