Solved: Splunk success & fail Logins

kiran331 · ‎08-09-2016

Hi

How can i get a report of Success and Fail Logins in Splunk Local accounts(not LDAP) for last 30 days?

inventsekar · ‎08-09-2016

index=_audit tag=authentication | stats count by user, info | sort - info

this works fine, but it includes LDAP as well. let me check how to get only local accounts.
one more question - do you have both Local accounts and LDAP authentication together ah?!?!

View solution in original post

inventsekar · ‎08-09-2016

index=_audit tag=authentication | stats count by user, info | sort - info

this works fine, but it includes LDAP as well. let me check how to get only local accounts.
one more question - do you have both Local accounts and LDAP authentication together ah?!?!

inventsekar · ‎08-09-2016

looks like source and sourcetype are audittrail. i hope this is same for LDAP and local users as well. please check it and update us(for those who uses LDAP only)
index=_audit source = audittrail sourcetype = audittrail

kiran331 · ‎08-09-2016

Thank! It got both Ldap and local accounts

Splunk success & fail Logins

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...