SPL
Failed Attempts to Logon to Splunk Web
4 2
Description
The following Splunk Search Query will return all users who have failed to logon to the Splunk Web console. This query will also include an average (from eventstats).
index=_audit action="login attempt" info=failed | timechart count(user) as Failed_Attempts| eventstats avg(Failed_Attempts) as Average
Comments
5 total
I get zero events over All Time when I search for:\r\n\r\nindex=_audit action=\"login attempt\"\r\n\r\nLogging parameter not set correct???
I've made a revision. Looks like either I had a custom defined field, or the splunk search language has changed (most likely the former).\r\n\r\nThanks for pointing this out :)
Where is the revised version?
It's been....~6 months. I'm going to assume I updated the original here :)
index=_internal source=\"/opt/splunk/var/log/splunk/splunkd.log\" ERROR UiAuth
Leave a comment
You must log in to post a comment.