try something along the lines of:
source=auth.log Failed password | rex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | stats count by src_ip | sort -count
this should produce a table of ip addresses and the count of the time they were in the logfile.
... View more