Hi @Aina For field extractions on json data use spath command: http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Spath Export your fields of interest in CSV format (IPs in this case) with outputlookup command: http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Outputlookup You can then load that CSV into your query and use it like a whitelist with this commands, lookup, inputlookup: http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Inputlookup If this is not the help you were looking for please elaborate your question so that I can help you. KR. ... View more

Oh my bad, \var\log\splunk it is. Thats not normal for sure. ... View more

Hi @dpanych, Any crash log in $SPLUNK_HOME\var\log\splunk ? EDIT: path ... View more

Run this on your forwarder ./splunk enable deploy-client -auth admin:changeme ./splunk restart And check if you are receiving data on your indexer from that forwarder. Let me know how it goes. ... View more

Hi there, Do you mind sharing some sample data to work with ? ... View more

Can you share a deploymentclient.conf file of any forwarder ? ... View more

Hi there Ramu, Please, run this command on your forwarders to see if they were configured properly first. splunk show deploy-poll ... View more

Hi Gautami, does your UF have read access on that directory ? ... View more

Hi @jcrawfordd26 Try giving execution permissions to splunk user/group too, many of this inputs are scripts. ... View more

Hi @dnorman289 Check your internals for a timestamp format related events, you will probably have to specifiy the timestamp format on your props.conf. ... View more

Hi there @cpetterborg Under which user is Splunk UF running ? Domain or local ? I believe it has to be domain user for remote performance monitoring. Are you forwarding any other type of data besides perfmon from that host ? ... View more

Nice, I'm glad it helped! ... View more

Any answer/solution on this Javier ? ... View more

Okey then, give this a try, I don't have data to test it right now but let me know if it's not working aight ? earliest=-1h@h latest=@h index=wineventlog sourcetype=WinEventLog:Security EventCode="4740" | eval Account=mvindex(Account_Name, 1) | stats count, latest(_time) AS lastBlock by Account | eval modtime=lastBlock - 3600 | fields - count | map maxsearches=100 search="search index=wineventlog sourcetype=WinEventLog:Security (EventCode="4625" OR EventCode="4768" OR EventCode="4771" OR EventCode="4776") earliest=$modtime$ latest=$lastBlock$ Account_Name=$Account$" | eval Account=case(EventCode="4740" OR EventCode="4625", mvindex(Account_Name, 1), EventCode="4768" OR EventCode="4771", Account_Name, EventCode="4776", Logon_Account, 1=1, "Click-on-me") | regex Account!="\\$" | eval errorMessages=case(EventCode="4768", (EventCode."; ".Result_Code), EventCode="4771", (EventCode."; ".Failure_Code), EventCode="4776", (EventCode."; ".Error_Code), 1=1, "Click-on-me") | stats count, latest(_time) AS lastFailure, values(Failure_Reason) AS failureReason, values(errorMessages) AS otherFailures by Account src_ip | convert ctime(lastFailure) | rename Account AS "Blocked Account", count AS LoginFailures Should be same as before but this one has a new field called "otherFailures", that will hold the other types of failures that you have mentioned. It is a concatenated field holding the EventCode and Resulting Code. edit: tested and working ... View more

Besides the changes you want to do now, the query worked out? If not, we have to start over. Is not working with the eventcodes(4768,4771,4776) that you try to add for two main reasons: - They have a completly different event structure. - The query I've posted was made for those events only. So please, let me know what you have in mind now so I can help you. ... View more

Nice, im glad it helped. Happy splunking! ... View more

Can you show me how did you adapt the query I've posted or some data samples ? ... View more

Hi @seetharamanPr Try this. index=acs action=failure signature=Failed_Attempts | stats values(IP) AS IP, count by user | sort - count | head 10 Hope it helps. ... View more

Sorry about that. Tested on lab and fixed. ... View more

Exactly, thats why at the end of the post I've wrote that you could add some case statements to alert when certain conditions are met. ... View more

Thats okey then, those fields could be empty. If the user has an account block (4740) the login failures (4625) might cause that. ... View more