I ran this search:
index=_audit action=failure | stats count by _time,user,action
which returned a desired result of:
Audit:[timestamp=12-16-2015 08:46:42.599, user=mybatchprocessid, action=login attempt, info=failed][n/a]
How can I find out what the failure was? Bad password? wrong logon type?
Have you try just to filter the _internal with the keywords ?
index=_internal error mybatchprocessid
View solution in original post
Yes, that was exactly what I needed. Thanks.