Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Windows security events search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Windows security events search
I have to capture the failed login attempts over windows machines.
I am filtering on the basis of EventCode=4625.
For a particular User,I am getting multiple events for a time event, like failed events for a user are coming around 10-11 in 1 minute.
Please help me with this search so that I can remove all the redundancy of user names like "-".
I want to display 4 fields- user name, last login, host, total count of failed events
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could try something like this:
index="MyIndex" EventCode="4625" | eval Username=(mvindex(Account_Name,1)) | stats count by Username,host | table Username,host,count
Regarding "last login",you could simply do a search like:
index="MyIndex" EventCode="4625" | eval Username=(mvindex(Account_Name,1)) | dedup Username | table _time,Username,host
I guess combining "last login" with the count of failed events is a little bit tricky. You could try appending a search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you are seeing is the effect of having two fields named Account Name. The count for - will equal the sum of all other Account Names.
Use this to check the first entry for a value, and if its null then get the second entries value:
eval User = if(isnull(Account_Name), User_Name, mvindex(Account_Name,1))
This will create the new value User, but you will probably have to 'View all fields' to see it.
The User field will not contain -.
You can find more information here:
http://answers.splunk.com/answers/2649/same-fields-with-different-values-in-one-event
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not using the windows app and AD app?
They have those kind of searches/reports and you can add yours too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am asked to make a self search for this.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
