Splunk Search

How do I search Active Directory logon failure activity to display time, username, event id, and computer name in a table?


Hi ,

I would like to write a search for logon failure on active directory and results should include the columns like time, username, event id, computer name.

Logs are already flooding into Splunk, so I just need this search so that those logs can be viewed in a table.


0 Karma


It will probably be something like this

sourcetype=WinSecurity EventCode=4625 | table _time User EventCode ComputerName

I don't know how to write your search for you, because I don't know how you are bringing the event log into Splunk. What is the sourcetype of the data, how do you identify the events of interest? I guessed at the field names for the table command, based on event logs I have seen in the past, but yours could be different.

You really need to play around with Splunk and your data; the community can help answer specific questions, but it is hard to show the basics in a Q&A format. I recommend the free e-learning course called Splunk Tutorial, as well as an online self-training document Splunk tutorial. (They are similar in content, but not the same.) You can also find videos and documentation at splunk.com.