Windows security events search

lohit · ‎08-14-2013

I have to capture the failed login attempts over windows machines.
I am filtering on the basis of EventCode=4625.
For a particular User,I am getting multiple events for a time event, like failed events for a user are coming around 10-11 in 1 minute.
Please help me with this search so that I can remove all the redundancy of user names like "-".
I want to display 4 fields- user name, last login, host, total count of failed events

splunk68 · ‎08-14-2013

You could try something like this:

index="MyIndex" EventCode="4625" | eval Username=(mvindex(Account_Name,1)) | stats count by Username,host | table Username,host,count

Regarding "last login",you could simply do a search like:

index="MyIndex" EventCode="4625" | eval Username=(mvindex(Account_Name,1)) | dedup Username | table _time,Username,host

I guess combining "last login" with the count of failed events is a little bit tricky. You could try appending a search.

lukejadamec · ‎08-14-2013

What you are seeing is the effect of having two fields named Account Name. The count for - will equal the sum of all other Account Names.

Use this to check the first entry for a value, and if its null then get the second entries value:

eval User = if(isnull(Account_Name), User_Name, mvindex(Account_Name,1))

This will create the new value User, but you will probably have to 'View all fields' to see it.
The User field will not contain -.

You can find more information here:
http://answers.splunk.com/answers/2649/same-fields-with-different-values-in-one-event

MarioM · ‎08-14-2013

Why not using the windows app and AD app?

Splunk for Windows

Splunk for Active Directory

They have those kind of searches/reports and you can add yours too.

lohit · ‎08-14-2013

i am asked to make a self search for this.

Windows security events search

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk