Splunk Search

Nutanix

splunknewbie81
Engager

Hi All,

We configured logs of a nutanix cluster to be pushed to splunk. 

Inside splunk, I can see logs that shows that [An unsuccessful login attempt was made with username: xxx]

 How can I churn this out to a report. I am kind of lost where on how to start.

 

Can someone please explain or guide me along?

Thank You

Regards,

Alex

 

 

 

 

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunknewbie81,

at first, you have to study the eventtypes of your logs: e.g. if the condition for the logfail event of nutanix is only "An unsuccessful login attempt was made", you could create and save an eventtype like this:

index=nutanix "An unsuccessful login attempt was made"

I don't know if there are other conditions but you have the knowledge of Nutanix to find all the conditions!

Remember that to make a search in Splunk 70% of the job is to know what to search and 30% is to build the search in Splunk!

So e.g. if you have to find the condition for the logfail in windows you have to take events with EvenCode=4625, 4771, 537, 536, 539, 531, etc...

Coming back to your search, when you identified the logfail condition, you have to extract the interesting fields: if you have a pair fieldname=fieldvalue, Splunk automatically extract the field, otherwise you have to manually extract it using a regex, in your case, something like this:

| rex "An unsuccessful login attempt was made with username: (?<user>\w+)"

Then you have to create your table, e.g. displaying all logfails:

index=nutanix "An unsuccessful login attempt was made"
| rex "An unsuccessful login attempt was made with username: (?<user>\w+)"
| table _time user

If otherwise you want the number of logfails for each user, you could run something like this:

index=nutanix "An unsuccessful login attempt was made"
| rex "An unsuccessful login attempt was made with username: (?<user>\w+)"
| stats count BY user

You can enrich your search in many ways, but I hint to follow the Search Tutorial for this (https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchTutorial/WelcometotheSearchTutorial) or splunk training or videos on YouTube.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...