@woodcock   I ran your query on my Splunk instance, and it shows "First Failure" time to be ahead of "Final Success" time. Screenshot below   IF the search is for Multiple Failed logins followed by a successful login how can a success event timestamp be before the Failure ?  Hope you are getting me.    ... View more

Excellent!  I love it when someone provides working SPL that I can just copy and paste - and BOOM it gives me what I need.  Thank you! ... View more

Try running broken hosts app https://splunkbase.splunk.com/app/3247/#/details ... View more

Great answer, solved my problem. Thank you very much for your sharing. ... View more

@ecanmaster - if elliot's comment has helped you with your question, then please accept the answer so that the question will show as closed. If you need more information, please let us know and we will give you more help. ... View more

thx iventsekar, index=main base-search "C:\\Windows\\explorer" this was good enough, I didn't know about the \ , that was probably the reason I couldn't get any results, but it works now, thank you ... View more

The trivial answer is | sort 0 _time user instead of reverse . index=* sourcetype=linux_secure tag=authentication action="failure" OR action="success" | sort 0 _time user | streamstats sum(eval(match(action,"failure"))) AS action_count reset_after="("match(action,\"success\")")" BY user | where match(action,"success") AND action_count>=3 The later reverse doesn't really seem to be necessary anyway... I'm still looking for the elegant answer... As a general case I'd usually do something like this... | rename COMMENT as "The above just creates test data" | sort 0 _time user | rename COMMENT as "break the events into groups based on change of action" | streamstats current=f last(action) as prioraction by user | eval newgroup=case(isnull(prioraction),1, action!=prioraction,1) | streamstats sum(newgroup) as groupno by user | rename COMMENT as "identify what I'm counting for each group and count it up" | eval countable=if(action="failure",1,0) | eventstats sum(countable) as groupcount by user groupno | rename COMMENT as "in this case, we want the value from the prior failure group only on the first record of the new success group" | streamstats current=f last(groupcount) as priorcount by user | where match(action,"success") AND priorcount>=3 Run anywhere test code... | makeresults | eval mydata="user1,success user1,success user1,failure user1,failure user2,failure user2,success user1,failure user1,failure user1,success user3,failure user3,failure user3,failure user3,success" | makemv mydata | mvexpand mydata | makemv delim="," mydata | eval user=mvindex(mydata,0) | eval action=mvindex(mydata,1) | streamstats count as recno | eval time=relative_time(now(),"@d")+recno | fields - mydata | rename COMMENT as "The above just creates test data" | sort 0 _time user | streamstats sum(eval(match(action,"failure"))) AS action_count reset_after="("match(action,\"success\")")" BY user | where match(action,"success") AND action_count>=3 ... View more

hmm,so for each successful login we go and execute? isn’t more normal to search only when I see a fail, which are not so often as successful logins? thanks ... View more

looks good ,looks good ... View more