Hi Splunkers:
I am trying to create a simple table that has the columns: User, Failed Authentication Attempts, Domain, and Locked?
User would be, of course the user
Failed Authentication Attempts would show up if greater than 3
Domain would show the domain they were attempting to authenticate against
Locked would be a yes or no value
It's the locked out part I am having trouble with.
Here is my search:
index=wineventlog Account_Domain=* ("EventCode=4625" OR "EventCode=4740") | head 10 | stats count by user Account_Domain | search count>3 | table user count Account_Domain | rename user as "User" count as "Failed Authentication Attempts" Account_Domain as "Domain"
↧