Searches will return results containing the terms failed password OR failed password in Splunk

index=_audit action="login attempt" info=failed | stats count as "Failed Attempts" by user | rename user as User

This Splunk search will output a table that will show the count of failed logins by Splunk user.

0 comments

[0]

[0]

Suppose you have the following fields: fieldA, FieldB, fieldC -- If you search for fieldB!=value3
You will get Results fieldB=value1, fieldB=value2

If fieldB does not exist, nothing is returned.

-----------------------------------------------------

Searching with NOT:

If you search for NOT fieldB=value3, the search returns everything except fieldB=value3:

fieldA=value1, fieldA=value2, fieldA=value3
fieldB=value1, fieldB=value2
fieldC=value1, fieldC=value2, fieldC=value3

If fieldB does not exist, NOT fieldB=value3 returns:
fieldA=value1, fieldA=value2, fieldA=value3
fieldC=value1, fieldC=value2, fieldC=value3

Splunk has a robust search functionality which enables you to search the entire data set that is ingested. This feature is accessed through the app named as Search & Reporting which can be seen in the left side bar after logging in to the web interface.

On clicking on the search & Reporting app, we are presented with a search box, where we can start our search on the log data that we uploaded in the previous chapter.

We type the host name in the format as shown below and click on the search icon present in the right most corner. This gives us the result highlighting the search term.

Combining Search Terms

We can combine the terms used for searching by writing them one after another but putting the user search strings under double quotes.

Using Wild Card

We can use wild cards in our search option combined with the AND/OR operators. In the below search, we get the result where the log file has the terms containing fail, failed, failure, etc., along with the term password in the same line.

Refining Search Results

We can further refine the search result by selecting a string and adding it to the search. In the below example, we click over the string 3351 and select the option Add to Search.

After 3351 is added to the search term, we get the below result which shows only those lines from the log containing 3351 in them. Also mark how the time line of the search result has changed as we have refined the search.

A good place to start.
//static1.squarespace.com/static/552092d5e4b0661088167e5c/t/56b36b4d3c44d86cf33341ca/1454598990...

This is the one I use for failed login events.

index=yourindex sourcetype="WinEventLog:Security" EventCode=4625 |fillnull value=NULL | eval Account_Name = mvindex(Account_Name,1) | eval Security_ID = mvindex(Security_ID,1) | eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials") |stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time |sort + Security_ID

In case you want it, here is successful login events.

index=yourindex sourcetype="WinEventLog:Security" EventCode=4624 |fillnull value=NULL | eval Account_Name = mvindex(Account_Name,1) | eval Security_ID = mvindex(Security_ID,1) | eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials") |stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time |sort + Security_ID

It would help if we knew how the query fails to meet expectations.  As a start, I offer this revision that should better meet the stated requirements.

( index = index1 "Failed password") earliest=-24h | eventstats count as Per_User_failures by user | stats latest(_time) as _time, values(host), values(dest_ip), values(src_ip), dc(src_ip) as srcIpCount, list(user), dc(user) as userCount, list(Per_User_failures) as Per_User_failures count as Total_failures by src_ip dest | rename values(*) as * | where Total_failures>10 OR Per_user_Failures>5

If the "Failed password" string is in a specific field then that field should be specified to improve search performance.

---
If this reply helps you, Karma would be appreciated.

Which of the following searches will return results containing the words fail failure or failed Splunk?

Which of the following searches will return results containing the phrase failed password in Splunk?

When a search is run in what order are events returned in Splunk?

How do I search for a specific error in Splunk?