Splunk search for Successful and unsuccesful Splunk login attempts
Copy
index=_audit action="log*" | stats count as Attempts by user, info | rename info as "Outcome"
This search will show both successful and unsuccessful Splunk logins. The results are a table with the username that attempted to log in as well as the outcome of their attempt.