Greetings. I am looking to search failed logins for a particular Active Directory group(s). I was thinking I'd have to do a subsearch based on what I've read in the forums. However, ldapsearch isn't an option due to the access I have in our managed Splunk (it's managed by a central team). So I can do a search for failed logins like so:
However, I don't know how to search just a specific group name at the same time and report on just the failed logins for members of that group. Alternatively I could add the members of the group individually, but since the group membership would change that would be ineffective (I wouldn't always be aware of the changes).