Also, Splunk 7.2 allows you to not use the "admin" user during setup. I have found ES relies on this user for some processes, so you should still use the name "admin" in the setup process of installing Splunk on an ES search head.
... View more
There are a few ways, but I like this one as it is a little simpler to modify for other use cases as well:
| from datamodel:"Authentication"."Authentication" | stats values(user) values(Calling_Station_ID) count(eval('action'=="success")) as success, count(eval('action'=="failure")) as failure by src | search success>1 failure>20
... View more