So we finally have a working reliable installation of Splunk on site and I am starting to build some useful queries. There is so much information available it's almost too hard to make a reliable query that returns the information you need (without false positives).
sourcetype="WinEventLog:Security" User Name: "CategoryString=Logon/Logoff" User_Name="administrator" | chart count(eval(Type="Failure Audit")) as "Login Failures" by src_ip
This will give you a nice chart showing a count of Administrator logon failures by source IP.
If you find yourself getting data that you aren't sure is real or should be ignored, I find the best way to be sure is to verify with a known failure or reproduction of the issue to be tracked. In this case, I simply attempted to log in with a bad password and my attempt showed up after a refresh.
