I have a few login failures then a success for Administrator and this is what I have but it doesn't seem to be getting any results:
source=WinEventLog:Security EventCode=4625 OR EventCode=4624
| bin _time span=5m as minute
| eval username=mvindex(Account_Name, 1)
| stats count(Keywords) as Attempts,
count(eval(match(Keywords,"Audit Failure"))) as Failed,
count(eval(match(Keywords,"Audit Success"))) as Success by minute username
| where Failed>=2
| stats dc(username) as Total by minute
| where Total>3
Any ideas on a better way to find failed login attempts for a user and then a successful login?
The Splunk Security Essentials app has an example Brute Force Attempt Detection query.