Splunk search for Failed linux logins by source IP
Copy
sourcetype=linux_secure tag=authentication action=failure | stats values(user) as user, count by src
This search will provide a breakdown the number of failed logins to a linux system by user and source IP