Splunk Search

SPlunk Query-Logins and failure

splunker9999
Path Finder

Hi, Can someone please suggest us a query we can build to find successful login and failed attempts in a separate query?

Thanks

Tags (1)
0 Karma
1 Solution

JMichaelis
Path Finder

Hi,

index=_audit action="login attempt" info=succeeded | table _time user
index=_audit action="login attempt" info=failed | table _time user

View solution in original post

0 Karma

alemarzu
Motivator

Hi there splunker, try like this.

index=_audit tag=authentication info=succeeded | stats count by user, info, host | sort - info

index=_audit tag=authentication info=failed | stats count by user, info, host | sort - info

Dont know about your Splunk environment, but if you are looking to get this from all your instances, you have to forward _audit index to your Search Head.

Hope it helps.

0 Karma

JMichaelis
Path Finder

Hi,

index=_audit action="login attempt" info=succeeded | table _time user
index=_audit action="login attempt" info=failed | table _time user
0 Karma

splunker9999
Path Finder

I guess this gives us information about our saved searches and how they are running.

We are looking to find failed login attempts to splunk hosts?

Thanks

0 Karma

JMichaelis
Path Finder

I'm not quite sure what you mean but I get login attempts with user name. Why should the action="login attempt" prompt saved searches information? If you want to see the hosts as well expand with

index=_audit action="login attempt" info=failed | table _time user host
0 Karma

splunker9999
Path Finder

this works for us.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...