Splunk Dev

how to set an alert for user failed to login to multiple times on multiple server

Girish_RH
New Member

Required a usecase for
** user failed to login to multiple times on multiple server**

0 Karma

hok2010
New Member

Hi Girish,
please try this one
this is for windowsevent logs

----SPL Query-----
sourcetype="wineventlog:security" EventCode=4625
| eval Account_Name=mvindex(Account_Name,1)
| stats values(ComputerName) as Servers_failing by Account_Name
| where mvcount(Servers_failing)>1

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Once you have your failed login events, you can use the stats command to group them by user and count the number of failures. It'll be something like this:

<your search for failed logins> | stats count, dc(machine) as machines by user | where (count > <some number>) AND (machines > 1)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...