Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to find out failed login attempts with (Ev...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to find out failed login attempts with (Event Code=4625) which will happen more than 6 times with in one hour?
Hi All,
I would like to find out failed login attempts happen more than 6 times with in 1hr time span.So here the main thing is the data come up with Events codes(Event Codes=4638,4722,4720) each and every time when we run a search in search bar.
event code 4625 should be separate from all the other event codes. Because 4625 is the only event code where we look for more than 6 failed attempts. The other three event codes we need to see each time they happen.
could anyone please assist me how to pull the 3 event codes every except event code:4625
Below is my search::
index=".........." AND sourcetype=".........." AND tag="....." AND NOT ((user=null) OR (tag=.............)) AND EventCode=4625 OR (EventCode=4720 OR EventCode=4722 OR EventCode=4738)
| fillnull value="N/A"
| bin _time span=1hr as HourDay
| eval hourDay=strftime(HourDay,"%m-%d-%y %H:%M:%S")
| stats count last(hourDay) as timestamp by user, HourDay, EventCode, Account_Domain, Account_Name, dvc_owner,dvc_bunit,dvc_ip, subject, dvc,
| where count>6
|fields - HourDay
| search NOT
[| inputlookup ........csv
| rename service_accounts as user]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I hope the logic is correct but I don't know I am getting error like "Error in 'multisearch' command: Multisearch subsearches may only contain purely streaming operations (subsearch 1 contains a non-streaming command.)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| multisearch
[ search ndex=".........." AND sourcetype=".........." AND tag="....." AND NOT ((user=null) OR (tag=.............)) AND EventCode=4625
| fillnull value="N/A"
| bin _time span=1hr as HourDay
| eval hourDay=strftime(HourDay,"%m-%d-%y %H:%M:%S")
| stats count last(hourDay) as timestamp by user, HourDay, EventCode, Account_Domain, Account_Name, dvc_owner,dvc_bunit,dvc_ip, subject, dvc,
| where count>6
| fields - HourDay
| search NOT
[| inputlookup ........csv
| rename service_accounts as user]
| eval event=event/2]
[ search
[ search ndex=".........." AND sourcetype=".........." AND tag="....." AND NOT ((user=null) OR (tag=.............)) AND EventCode=4720 OR EventCode=4722 OR EventCode=4738
| fillnull value="N/A"
| bin _time span=1hr as HourDay
| eval hourDay=strftime(HourDay,"%m-%d-%y %H:%M:%S")
| stats count last(hourDay) as timestamp by user, HourDay, EventCode, Account_Domain, Account_Name, dvc_owner,dvc_bunit,dvc_ip, subject, dvc,
| where count>1
| fields - HourDay
| search NOT
[| inputlookup ........csv
| rename service_accounts as user]
This should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did this work ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no the second part of the search not working
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
Fun with Regular Expression - multiples of nine
