Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Usernames Failed to Login against an IP Address | which other IP Addresses has that Username Failed to login against?

JgTheGreat
Engager
‎11-11-2017 07:04 AM

Hello,

I'm looking for a query, which looks for successful [ or unsuccessful ] brute force attempts, and then to take the Username that was [ or unsuccessfully/successfully logged in and then automatically return which other (if any) IP's that account was logged into.

Virtual beers and a high five on offer here 😄

KJG

Tags (1)
0 Karma
Reply

mayurr98
Super Champion
‎11-11-2017 07:37 AM 
index=your_index status=succes OR status=unsuccessful | stats values(srcip) by users status

If you give me sample event and field names associated with it I can give you proper query.

0 Karma
Reply

mayurr98
Super Champion
‎11-11-2017 07:39 AM

You need to edit these query according to naming of the field names in your data.

0 Karma
Reply

JgTheGreat
Engager
‎11-11-2017 07:42 AM

Query in original question - hope that this helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...