This Splunk search will show a count of all user accounts and a number of times they have attempted to logon. The REGEX is written into the query, remove it if you are already extracting those field names: sourcetype=linux_secure | rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?gdm-\w+)\S:\s” | search session=gdm-password | rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?\S+)\s.+\Sgdm-password:auth\S:\s(?\w+\s\w+);\s.+user=(?\S+)” | search authstatus=”authentication failure” | stats count […]