The following Splunk Search Query will return all users who have failed to logon to the Splunk Web console. This query will also include an average (from eventstats).
index=_audit action="login attempt" info=failed | timechart count(user) as Failed_Attempts| eventstats avg(Failed_Attempts) as Average
I get zero events over All Time when I search for:
index=_audit action=”login attempt”
Logging parameter not set correct???
I’ve made a revision. Looks like either I had a custom defined field, or the splunk search language has changed (most likely the former).
Thanks for pointing this out :)
Where is the revised version?
It’s been….~6 months. I’m going to assume I updated the original here :)
index=_internal source=”/opt/splunk/var/log/splunk/splunkd.log” ERROR UiAuth