Hi, Can someone please suggest us a query we can build to find successful login and failed attempts in a separate query?
Thanks
Hi,
index=_audit action="login attempt" info=succeeded | table _time user
index=_audit action="login attempt" info=failed | table _time user
Hi there splunker, try like this.
index=_audit tag=authentication info=succeeded | stats count by user, info, host | sort - info
index=_audit tag=authentication info=failed | stats count by user, info, host | sort - info
Dont know about your Splunk environment, but if you are looking to get this from all your instances, you have to forward _audit index to your Search Head.
Hope it helps.
Hi,
index=_audit action="login attempt" info=succeeded | table _time user
index=_audit action="login attempt" info=failed | table _time user
I guess this gives us information about our saved searches and how they are running.
We are looking to find failed login attempts to splunk hosts?
Thanks
I'm not quite sure what you mean but I get login attempts with user name. Why should the action="login attempt" prompt saved searches information? If you want to see the hosts as well expand with
index=_audit action="login attempt" info=failed | table _time user host
this works for us.