Required a usecase for
** user failed to login to multiple times on multiple server**
Hi Girish,
please try this one
this is for windowsevent logs
----SPL Query-----
sourcetype="wineventlog:security" EventCode=4625
| eval Account_Name=mvindex(Account_Name,1)
| stats values(ComputerName) as Servers_failing by Account_Name
| where mvcount(Servers_failing)>1
Once you have your failed login events, you can use the stats
command to group them by user and count the number of failures. It'll be something like this:
<your search for failed logins> | stats count, dc(machine) as machines by user | where (count > <some number>) AND (machines > 1)