Splunk Search

Nutanix

splunknewbie81
Engager

Hi All,

We configured logs of a nutanix cluster to be pushed to splunk. 

Inside splunk, I can see logs that shows that [An unsuccessful login attempt was made with username: xxx]

 How can I churn this out to a report. I am kind of lost where on how to start.

 

Can someone please explain or guide me along?

Thank You

Regards,

Alex

 

 

 

 

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunknewbie81,

at first, you have to study the eventtypes of your logs: e.g. if the condition for the logfail event of nutanix is only "An unsuccessful login attempt was made", you could create and save an eventtype like this:

index=nutanix "An unsuccessful login attempt was made"

I don't know if there are other conditions but you have the knowledge of Nutanix to find all the conditions!

Remember that to make a search in Splunk 70% of the job is to know what to search and 30% is to build the search in Splunk!

So e.g. if you have to find the condition for the logfail in windows you have to take events with EvenCode=4625, 4771, 537, 536, 539, 531, etc...

Coming back to your search, when you identified the logfail condition, you have to extract the interesting fields: if you have a pair fieldname=fieldvalue, Splunk automatically extract the field, otherwise you have to manually extract it using a regex, in your case, something like this:

| rex "An unsuccessful login attempt was made with username: (?<user>\w+)"

Then you have to create your table, e.g. displaying all logfails:

index=nutanix "An unsuccessful login attempt was made"
| rex "An unsuccessful login attempt was made with username: (?<user>\w+)"
| table _time user

If otherwise you want the number of logfails for each user, you could run something like this:

index=nutanix "An unsuccessful login attempt was made"
| rex "An unsuccessful login attempt was made with username: (?<user>\w+)"
| stats count BY user

You can enrich your search in many ways, but I hint to follow the Search Tutorial for this (https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchTutorial/WelcometotheSearchTutorial) or splunk training or videos on YouTube.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...