SPL
Failed Attempts to Logon to Splunk Web
Description
The following Splunk Search Query will return all users who have failed to logon to the Splunk Web console. This query will also include an average (from eventstats).
4 2
index=_audit action="login attempt" info=failed | timechart count(user) as Failed_Attempts| eventstats avg(Failed_Attempts) as Average
Comments
5 total
I get zero events over All Time when I search for:\r\n\r\nindex=_audit action=\"login attempt\"\r\n\r\nLogging parameter not set correct???
I've made a revision. Looks like either I had a custom defined field, or the splunk search language has changed (most likely the former).\r\n\r\nThanks for pointing this out :)
Where is the revised version?
It's been....~6 months. I'm going to assume I updated the original here :)
index=_internal source=\"/opt/splunk/var/log/splunk/splunkd.log\" ERROR UiAuth
Leave a comment
You must log in to post a comment.