Ok i added the user and signature.

this is the updated query:

"| tstats `summariesonly` values(Authentication.app) as app,count from datamodel=Authentication.Authentication  where earliest=-1d by Authentication.action,Authentication.src,Authentication.signature,Authentication.user,index | `drop_dm_object_name(\"Authentication\")` | eval success=if(action=\"success\",count,0),failure=if(action=\"failure\",count,0) | stats values(app) as app,sum(failure) as failure,sum(success) as success by src,index,signature,user" | where success > 0 | `mltk_apply_upper(\"app:failures_by_src_count_1d\", \"medium\", \"failure\")` | rex field=index \"(?<bu_prefix>[a-zA-Z]+)\" | lookup org_lookup.csv bu_prefix OUTPUTNEW Organization"

Now I need:

1. The query shows app list + number of failures + number of successes, but no correlation of failures/successes to apps, how can I do that?

2. If there is IP address only made several failed login attempts to one user. How can we catch such a scenario?

3. if you see here https://docs.splunk.com/Documentation/CIM/4.17.0/User/Authentication I can change the "src" to "src_ip" or "src_host" but when Im trying to add "Authentication.src_ip" or "Authentication.src_host" its not working as alias only Authentication_src. what to do?