You can specify a new index and sourcetype from the stanza, you do not need to do this again in the GUI. I suggest testing the new data before fully committing to adding it to Splunk. To test just goto the GUI and use the Add Data option and select Index Once vs Continuously Monitor.
... View more
Use the
| table
to create a table of any fields you are interested in, the results from the search should provide interesting fields on the left of the search panel, then use
| sort
... View more
Can you try something like this?
index=ise authentication="failed" Administrator="Login"
| table UserName
I suggest adding a sourcetype to the search as well in the future.
... View more