Re: Windows EventLogs: 3 failed logins from 3 diff...

Fe-atSplunk · ‎08-26-2021

Using Windows EventCodes I want to find 3 or more users failing to log in. So far my syntax is

| stats values(user) as user count by host

which looks good. Now I only want to see > 2 users from the same host. | where count > 2 counts the total, not the different values in the "user" field.

Fe-atSplunk · ‎09-06-2021

It was the dc I was missing, so thanks for your response!

PickleRick · ‎08-27-2021

If your search is indeed literarily as you wrote it:

| stats values(user) as user count by host

Then you're getting two different stats values per host - one is a multivalue single field containing all the users for this host, the second one is a sum of all events for this host.

That's probably not what you wanted.

You might list the values and count it afterwards:

| stats values(user) as users by host | eval usercount=mvcount(users)

But it's not very pretty

Or you might use dc(user)

| stats values(user) as users dc(user) as usercount by host

Windows EventLogs: 3 failed logins from 3 different users from same host

count

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation