Hello everyone,
I have inherited shared responsibility for a Splunk instance. We recently had a user departure, and one of the other Splunk admins changed that user's password so that they couldn't login.
However, when I look in _audit I see that there is a failed login for that user exactly every 15 minutes around the clock. I fear that they left a shell script behind that is trying to login.
How can I find out the source of these failed attempts?
↧