Failed Logon Attempts - Windows

The following Splunk query will show a timechart of failed logon attempts per host:

source="WinEventLog:security" EventCode=4625 
| timechart span=1h count by host

The following Splunk query will show a detailed table of failed logon attempts per host and user with 5 minute chunks/blocks of time, as well as show a sparkline (mini timechart) within the table itself.

source="WinEventLog:security" EventCode=4625
| eval Workstation_Name=lower(Workstation_Name)
| eval host=lower(host) 
| eval hammer=_time 
| bucket span=5m hammer 
| stats count sparkline by user host, hammer, Workstation_Name
| rename hammer as "5 minute blocks" host as "Target Host" Workstation_Name as "Source Host"
| convert ctime("5 minute blocks")

#Admin Notes - This query has replaced the original query on GoSplunk due to changes in the way Splunk displays windows data as well as eliminated pre-Windows 2008 EventCodes.