Splunk® Light (Legacy)

Search and Reporting Examples

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Report on failed login attempts using Splunk Light

This example uses LDAP data with source type winauthentication_security. The search monitors users of a fictitious online company, called Buttercup Games, who have multiple login failures over the past 24 hours.

The data contains Windows Event Codes, such as:

  • 540 Successful Network Logon
  • 4624 Successful Network Logon
  • 4625 Failure
  • 4634 Successful Network Logoff

To search for failures, you can specify the Event Code:

sourcetype=winauthentication_security EventCode=4625

You can search for the top failed logins based on the User:

sourcetype=winauthentication_security EventCode=4625 | top User


Splunklight failed logins top.png


By default, the top command will return 10 results. You can change this limit. Or, you can use the stats command to see all users with failed login attempts.

sourcetype=winauthentication_security EventCode=4625 | stats count by User


Splunklight all failed logins stats.png


In this search, stats counts the number of failed login attempts by User. Then, you can use the where command to show only the Users who attempted and failed more than once.

sourcetype=winauthentication_security EventCode=4625 | stats count by User | where count > 1

Splunklight failed logins stats.png


If there are users you want to exclude, you can filter them out in the original search. For example, you may not want to include User=Administrator in your report.

sourcetype=winauthentication_security EventCode=4625 User!=Administrator | stats count by User | where count > 1

Last modified on 05 April, 2016
PREVIOUS
Compare week over week results using Splunk Light
  NEXT
Notify when server load reaches a threshold using Splunk Light

This documentation applies to the following versions of Splunk® Light (Legacy): 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters