The following Splunk search query will return results for failed login attempts in a Linux environment for a specified time range. The regular expressions are defined within the search string, however if you already extracted the necessary fields you can ignore the regex section.
sourcetype=linux_secure | eval Date=strftime(_time, "%Y/%m/%d") | rex ".*:\d{2}\s(?<hostname>\S+)" | rex "gdm\S+\sauthentication\s(?<status>\w+)" | rex "\suser[^'](?<User>\S+\w+)" | search status=failure| stats count as fails by Date, User, hostname | eval "Alert Level"=case(fails>=50, "Critical", fails<50 AND fails>=20, "Warning", fails<20, "Normal") | sort - fails| rename fails as "Failed Logon Attempts" | rename User as "Account in Question"
Pingback: splunk query for failed linux logins - bankschools.com