Splunk search for Splunk failed logins
Copy
index=_audit action="login attempt" info=failed | stats count as "Failed Attempts" by user | rename user as User
This Splunk search will output a table that will show the count of failed logins by Splunk user.