Hi @splunknewbie81,

at first, you have to study the eventtypes of your logs: e.g. if the condition for the logfail event of nutanix is only "An unsuccessful login attempt was made", you could create and save an eventtype like this:

index=nutanix "An unsuccessful login attempt was made"

I don't know if there are other conditions but you have the knowledge of Nutanix to find all the conditions!

Remember that to make a search in Splunk 70% of the job is to know what to search and 30% is to build the search in Splunk!

So e.g. if you have to find the condition for the logfail in windows you have to take events with EvenCode=4625, 4771, 537, 536, 539, 531, etc...

Coming back to your search, when you identified the logfail condition, you have to extract the interesting fields: if you have a pair fieldname=fieldvalue, Splunk automatically extract the field, otherwise you have to manually extract it using a regex, in your case, something like this:

| rex "An unsuccessful login attempt was made with username: (?<user>\w+)"

Then you have to create your table, e.g. displaying all logfails:

index=nutanix "An unsuccessful login attempt was made"
| rex "An unsuccessful login attempt was made with username: (?<user>\w+)"
| table _time user

If otherwise you want the number of logfails for each user, you could run something like this:

index=nutanix "An unsuccessful login attempt was made"
| rex "An unsuccessful login attempt was made with username: (?<user>\w+)"
| stats count BY user

You can enrich your search in many ways, but I hint to follow the Search Tutorial for this (https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchTutorial/WelcometotheSearchTutorial) or splunk training or videos on YouTube.

Ciao.

Giuseppe