Hi ,
I would like to write a search for logon failure on active directory and results should include the columns like time, username, event id, computer name.
Logs are already flooding into Splunk, so I just need this search so that those logs can be viewed in a table.
Thanks,
Uma.
It will probably be something like this
sourcetype=WinSecurity EventCode=4625 | table _time User EventCode ComputerName
I don't know how to write your search for you, because I don't know how you are bringing the event log into Splunk. What is the sourcetype of the data, how do you identify the events of interest? I guessed at the field names for the table command, based on event logs I have seen in the past, but yours could be different.
You really need to play around with Splunk and your data; the community can help answer specific questions, but it is hard to show the basics in a Q&A format. I recommend the free e-learning course called Splunk Tutorial, as well as an online self-training document Splunk tutorial. (They are similar in content, but not the same.) You can also find videos and documentation at splunk.com.