Hi All, just started a new role and not been introduced to splunk in any previous jobs, and this is completly new to me. We have a user that is constantly getting account lockout issues. All our Domain controller security logs etc are extracted into splunk every fifteen minutes. I am attempting to complete a search from the Splunk>enterprise --- New Search field but I can only extract the below information which tells me the user, source, and host and that the user has an Audit failure. Please could someone point me to how I would go about extracting the information of what machine the user is getting the account lock from. I see quite a few messages on the internet but they never say where the actual message should be input from. Is it directly into the New Search field.... Any help would be very much appreciated.
... View more