Haven't try this by myself, but you could try next. If you have your test/dev-instance please try it or even download trial version and use it. As bucket names in single node indexer vs. cluster are different you may need to rename that bucket from cluster mode to single node mode. But in test instance you could try it first with cluster named version. If it works and don't crash your instance use it and if not then rename that bucket to single node version and try again. r. Ismo ... View more

Thanks for the ideas, I think I am trying to do too much at once, my intention was to map out, possibly look at averaging over time, failed logon attempts by the user and signature per day but that may be biting off more than I (or splunk) can chew in a manner to produce usable results. I started to separate out the data by the signature field instead, producing several different groups of data/reports that seems to work a bit easier. index=wineventlog EventCode=4625 NOT TargetUserName="*$" signature="Account is currently disabled" | bucket _time span=1d | eval User=TargetDomainName."/".TargetUserName | stats count by User src _time | timechart sum(count) as count by User ... View more

Thanks heaps, that worked perfectly, still need to get my head around some of these commands and how to put them all together. ... View more

'deflate item' is available in 'phantom app'(Phantom App for Phantom) ... View more