How do I search Active Directory logon failure act...

Urao · ‎03-02-2016

Hi ,

I would like to write a search for logon failure on active directory and results should include the columns like time, username, event id, computer name.

Logs are already flooding into Splunk, so I just need this search so that those logs can be viewed in a table.

Thanks,
Uma.

lguinn2 · ‎03-03-2016

It will probably be something like this

sourcetype=WinSecurity EventCode=4625 | table _time User EventCode ComputerName

I don't know how to write your search for you, because I don't know how you are bringing the event log into Splunk. What is the sourcetype of the data, how do you identify the events of interest? I guessed at the field names for the table command, based on event logs I have seen in the past, but yours could be different.

You really need to play around with Splunk and your data; the community can help answer specific questions, but it is hard to show the basics in a Q&A format. I recommend the free e-learning course called Splunk Tutorial, as well as an online self-training document Splunk tutorial. (They are similar in content, but not the same.) You can also find videos and documentation at splunk.com.

How do I search Active Directory logon failure activity to display time, username, event id, and computer name in a table?

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Are you a member of the Splunk Community?

How do I search Active Directory logon failure activity to display time, username, event id, and computer name in a table?

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!