Thankyou! This worked 😄  ... View more

Hello,  Currently using :  index="wineventlog" | bin _time as minute span=10m | streamstats count by _time | eventstats count(eval(status="failed")) as failures by _user minute | where failures > 5 | table user _time failures minute But it is not bringing back any results, even if i increase the time span and decrease the failures to try to capture. Im trying to also include that I want splunk to show me  if the same user fails to authenticate X amount of times within X minuites. Not just all users. But wanted splunk to show me per user if that makes sense? Also i'm trying to get the results to show in a Table/statistics view, an example below:  Time Logon Account action Computer Name Source Workstation count 15/12/2021 08:00 joe.bloggs failure computer1  workstation1 22 15/12/2021 10:00 alex.hand failure computer1  workstation2 554 15/12/2021 12:25 bob.francis failure computer1  workstation3 75 15/12/2021 15:23 alice.green failure computer1  workstation4 42   So for example if I had it set to show me if there have been more than 5 auth fails within 5 minutes: The Count column would show how many auth failures there were within the 5 minuites, and which user tried to authenticate.    ... View more

Thankyou for the response ... View more

Hello,  For some reason its not bringing back anything. I have searched for:  index="wineventlog" | bin _time as minute span=20m | eventstats count(eval(status="failed")) as failures by _user minute | where failures > 0 | table user _time failures minute As you can see ive searched for basically anything failing auths within a 20 minuite window, to try and catch something, but nothing is coming back.  Cant think why though?    ... View more