Solved: How to create a table that shows multiple failed l...

bakalon · ‎09-27-2016

Hello,
So I'm looking to a use case where I have to create a table that shows multiple failed logins on the same workstation by different usernames.

Here's what I have so far:

index=windows* sourcetype=WinEventLog:Security EventCode=4625 | eval AccountName=mvindex(Account_Name, 1) | | stats  values(AccountName) by Workstation_Name

That shows all accounts that failed to log in. I want the result where there are multiple failed accounts on the same workstation. So something like ....| where AccountName > 1.

Please let me know if this makes sense. Thanks!

somesoni2 · ‎09-27-2016

Try like this

index=windows* sourcetype=WinEventLog:Security EventCode=4625 | eval AccountName=mvindex(Account_Name, 1) |  stats  values(AccountName) as Accounts by Workstation_Name | where mvcount(Accounts)>1

View solution in original post

somesoni2 · ‎09-27-2016

Try like this

index=windows* sourcetype=WinEventLog:Security EventCode=4625 | eval AccountName=mvindex(Account_Name, 1) |  stats  values(AccountName) as Accounts by Workstation_Name | where mvcount(Accounts)>1

bakalon · ‎09-28-2016

Dude!!! Thank you very much. I was not aware of the mvcount expression. This worked like a charm. Cheers!

How to create a table that shows multiple failed logins on the same workstation by different usernames?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...