Splunk Search

Transaction with WinEventLog:Security EventCodes 4624 and 4625

Path Finder

Trying to figure out how to get a transaction search to show results where there are 5 or more failed logons (4625) and then a successful logon (4624). Have a transaction search that works, but all of the results are one failed logon followed by a successful logon. These are the typical fat-fingered the first time and then successfully logon scenarios. Want to see where there are more failed logon attempts and then the successful logon. Below is the base transaction search. Looked at the post ->
https colon slash slash answers dot splunk dot com/answers/351046/how-do-i-edit-my-transaction-search-to-find-over-3 dot html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev , but that seems to only work if one EventCode is in the search. Thank you in advance for your assistance.

index=wineventlog EventCode=4625 OR EventCode=4624 Account_Name!="*$" 
| transaction user, Workstation_Name maxspan=10m startswith=(action="failure") endswith=(action="success")
0 Karma

Ultra Champion

hello there,

here is a great answer by @lguinn for the same use case.
another great one by @woodcock

hope those solves it for you, and if not, comment and we will keep at it

Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...