Hi All,
We configured logs of a nutanix cluster to be pushed to splunk.
Inside splunk, I can see logs that shows that [An unsuccessful login attempt was made with username: xxx]
How can I churn this out to a report. I am kind of lost where on how to start.
Can someone please explain or guide me along?
Thank You
Regards,
Alex
Hi @splunknewbie81,
at first, you have to study the eventtypes of your logs: e.g. if the condition for the logfail event of nutanix is only "An unsuccessful login attempt was made", you could create and save an eventtype like this:
index=nutanix "An unsuccessful login attempt was made"
I don't know if there are other conditions but you have the knowledge of Nutanix to find all the conditions!
Remember that to make a search in Splunk 70% of the job is to know what to search and 30% is to build the search in Splunk!
So e.g. if you have to find the condition for the logfail in windows you have to take events with EvenCode=4625, 4771, 537, 536, 539, 531, etc...
Coming back to your search, when you identified the logfail condition, you have to extract the interesting fields: if you have a pair fieldname=fieldvalue, Splunk automatically extract the field, otherwise you have to manually extract it using a regex, in your case, something like this:
| rex "An unsuccessful login attempt was made with username: (?<user>\w+)"
Then you have to create your table, e.g. displaying all logfails:
index=nutanix "An unsuccessful login attempt was made"
| rex "An unsuccessful login attempt was made with username: (?<user>\w+)"
| table _time user
If otherwise you want the number of logfails for each user, you could run something like this:
index=nutanix "An unsuccessful login attempt was made"
| rex "An unsuccessful login attempt was made with username: (?<user>\w+)"
| stats count BY user
You can enrich your search in many ways, but I hint to follow the Search Tutorial for this (https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchTutorial/WelcometotheSearchTutorial) or splunk training or videos on YouTube.
Ciao.
Giuseppe