Splunk Search
Highlighted

If I have a process id that fails to log in to Splunk, how can I find out what the failure was?

Communicator

I ran this search:

index=_audit action=failure | stats count by _time,user,action

which returned a desired result of:

Audit:[timestamp=12-16-2015 08:46:42.599, user=mybatchprocessid, action=login attempt, info=failed][n/a]

How can I find out what the failure was? Bad password? wrong logon type?

0 Karma
Highlighted

Re: If I have a process id that fails to log in to Splunk, how can I find out what the failure was?

Builder

Hi,

Have you try just to filter the _internal with the keywords ?

index=_internal error mybatchprocessid

View solution in original post

Highlighted

Re: If I have a process id that fails to log in to Splunk, how can I find out what the failure was?

Communicator

Yes, that was exactly what I needed. Thanks.

0 Karma