Solved: Splunk success & fail Logins

kiran331 · ‎08-09-2016

Hi

How can i get a report of Success and Fail Logins in Splunk Local accounts(not LDAP) for last 30 days?

inventsekar · ‎08-09-2016

index=_audit tag=authentication | stats count by user, info | sort - info

this works fine, but it includes LDAP as well. let me check how to get only local accounts.
one more question - do you have both Local accounts and LDAP authentication together ah?!?!

View solution in original post

inventsekar · ‎08-09-2016

index=_audit tag=authentication | stats count by user, info | sort - info

this works fine, but it includes LDAP as well. let me check how to get only local accounts.
one more question - do you have both Local accounts and LDAP authentication together ah?!?!

inventsekar · ‎08-09-2016

looks like source and sourcetype are audittrail. i hope this is same for LDAP and local users as well. please check it and update us(for those who uses LDAP only)
index=_audit source = audittrail sourcetype = audittrail

kiran331 · ‎08-09-2016

Thank! It got both Ldap and local accounts

Splunk success & fail Logins

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!