Jan 6, 2011

Useful Splunk Queries

So we finally have a working reliable installation of Splunk on site and I am starting to build some useful queries. There is so much information available it's almost too hard to make a reliable query that returns the information you need (without false positives).

sourcetype="WinEventLog:Security"  User Name: "CategoryString=Logon/Logoff" User_Name="administrator" | chart count(eval(Type="Failure Audit")) as "Login Failures" by src_ip

This will give you a nice chart showing a count of Administrator logon failures by source IP.

If you find yourself getting data that you aren't sure is real or should be ignored, I find the best way to be sure is to verify with a known failure or reproduction of the issue to be tracked. In this case, I simply attempted to log in with a bad password and my attempt showed up after a refresh.

No comments: