Splunk Failed Login Report

Question

I am relatively new to Splunk and I am trying to create a reportthat will display a hostname and the amount of times that host failed to login within the past five minutes, when they failed 3 or more times. The only way I was able to get the initial search results I want is to look only within the past 5 minutes, as you can see in my query:

index="wineventlog" EventCode=4625 earliest=-5min | stats count by host,_time | stats count by host | search count > 2

This returns the host and the count. The issue is if I use this query in my report, it can run every five minutes, but the hosts that were listed previously get removed as they no longer are included in the search results.

I found ways to generate logs that I can then search for separately (http://docs.splunk.com/Documentation/Splunk/6.6.2/Alert/LogEvents) but it didn't work the way I expected.

I am looking for an answer to any of these questions that can help me get the intended results:

1. Can my original search be improved to still only get results where the failed logins were within 5 minutes but be able to search over any time period?
2. Is there a way to send the results from the query I already have to a report, where the results will not be cleared out when the search is run again?
3. Is there any other option I haven't considered to achieve the desired result?

Answer 1

If you only care about the last 5 minutes then search only the last 5 minutes. Searching more is just wasting resources.

Consider writing your results to a summary index (using collect) with a scheduled search and have your report/dashboard display values from the summary index.