Splunk search for Failed linux logins by user
Copy
sourcetype=linux_secure tag=authentication action=failure | stats count by user | sort - count
This Splunk search will provide a table with a count showing the number of times a Linux user has attempted but failed to login