Skip to main content


Splunk Lantern

Top audit failures by user in Dell Isilon NAS

You might need to see top audit failure by user in your Dell Isilon (network attached storage) NAS when doing the following:


In order to execute this procedure in your environment, the following data, services, or apps are required:


If a user is unable to access content or resources for any reason, it’s reported in the audit logs. For example, you might have an application that’s not behaving the way you expect it to because access is no longer granted to it. Alternatively, the audit logs might expose an unauthorized user looking around the file system and getting multiple access denied messages. You want to detect and fix permissions issues for applications, and to monitor and address potentially suspicious user access issues. 

To optimize the search shown below, you should specify an index and a time range. 

  1. Run the following search: 
sourcetype=emc:isilon:* app=audit_protocol event_result=FAILED
| stats count AS Failures, values(_time) AS Times BY Cluster_Name, user, file_path
| fieldformat Times=strftime(Times, "%+")
| sort - Failures

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation


Search only EMC Isilon data.


Select events where the app field is set to audit_protocol. 


Search for failed events. 

| stats count AS Failures, values(_time) AS Times BY Cluster_Name, user, file_path

Count the number of failed attempts and get the corresponding user and cluster name. 

| fieldformat Times=strftime(Times, "%+")

Convert the way the time is displayed into the format of the locale, as defined by the server's operating system.

Fieldformat does not change the underlying value of the field.

| sort - Failures

Sort the results with the highest number of failures per file path first.


This search produces a table showing the user and the file path involved in the failure grouped by cluster. The number of faults and the time the fault occurred is also listed. If you wanted to condense the output, you could omit the values(_time) operator from the stats command. Then, the fieldformat would be ignored. You may want to do this if the frequency of errors on a single file path is high.

  • Was this article helpful?