Thanks for the ideas, I think I am trying to do too much at once, my intention was to map out, possibly look at averaging over time, failed logon attempts by the user and signature per day but that may be biting off more than I (or splunk) can chew in a manner to produce usable results. I started to separate out the data by the signature field instead, producing several different groups of data/reports that seems to work a bit easier. index=wineventlog EventCode=4625 NOT TargetUserName="*$" signature="Account is currently disabled"
| bucket _time span=1d
| eval User=TargetDomainName."/".TargetUserName
| stats count by User src _time
| timechart sum(count) as count by User
... View more