Splunk Search

Nutanix

splunknewbie81
Engager

Hi All,

We configured logs of a nutanix cluster to be pushed to splunk. 

Inside splunk, I can see logs that shows that [An unsuccessful login attempt was made with username: xxx]

 How can I churn this out to a report. I am kind of lost where on how to start.

 

Can someone please explain or guide me along?

Thank You

Regards,

Alex

 

 

 

 

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunknewbie81,

at first, you have to study the eventtypes of your logs: e.g. if the condition for the logfail event of nutanix is only "An unsuccessful login attempt was made", you could create and save an eventtype like this:

index=nutanix "An unsuccessful login attempt was made"

I don't know if there are other conditions but you have the knowledge of Nutanix to find all the conditions!

Remember that to make a search in Splunk 70% of the job is to know what to search and 30% is to build the search in Splunk!

So e.g. if you have to find the condition for the logfail in windows you have to take events with EvenCode=4625, 4771, 537, 536, 539, 531, etc...

Coming back to your search, when you identified the logfail condition, you have to extract the interesting fields: if you have a pair fieldname=fieldvalue, Splunk automatically extract the field, otherwise you have to manually extract it using a regex, in your case, something like this:

| rex "An unsuccessful login attempt was made with username: (?<user>\w+)"

Then you have to create your table, e.g. displaying all logfails:

index=nutanix "An unsuccessful login attempt was made"
| rex "An unsuccessful login attempt was made with username: (?<user>\w+)"
| table _time user

If otherwise you want the number of logfails for each user, you could run something like this:

index=nutanix "An unsuccessful login attempt was made"
| rex "An unsuccessful login attempt was made with username: (?<user>\w+)"
| stats count BY user

You can enrich your search in many ways, but I hint to follow the Search Tutorial for this (https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchTutorial/WelcometotheSearchTutorial) or splunk training or videos on YouTube.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...