Hi I'm trying to get failed login from users who try to authenticate to Splunk using curl authentication, my command was curl -k https://localhost:8089/services/auth/login --data-urlencode username=myUser --data-urlencode password=myWrongPass and get an XML response saying that it's incorrect username or password, but when I enter valid credentials from this SPL search command : index="_audit" action="login attempt" curl I only get successful authentication not failed ones. I'm interested to get a list of all failed logins who used curl.
Event result : Audit:[timestamp=05-12-2020 16:11:55.106, user=myuser, action=login attempt, info=succeeded reason=user-initiated useragent="curl/7.69.1" clientip=127.0.0.1 session=3a7b3720876a61c93d1584b2b8613fe1][n/a]
... View more