https://community.splunk.com/t5/Getting-Data-In/Windows-Account-Activity-Reporting/m-p/169605#M34280 <P>I'm looking at creating a dashboard where I can generate standardized reports based on behaviors. To get started, I just want to provide a list of login activity by server to administrators to validate lookup lists as valid.</P> <P>What I'm trying to draw in a table is similar to this:</P> <PRE><CODE>Account Name: | Event Codes | Logon Type | Sparklines | Peak Count | Peak Time Joe Smith | 4624 | 3, 5, 6 | 4624 Spark | 4624 Peak | Time of 4624 peak | 4625 | 0 | 4625 Spark | 4625 Peak | Time of 4625 peak </CODE></PRE> <P>Right now I've got the base search figured out:</P> <P>sourcetype=WinEventLog:Security host=HostNameHere |stats values(EventCode) values(Logon_Type) sparkline(count(Account_Name)) count(Account_Name) by Account_Name | sort Account_Name</P> <P><B>1st problem</B>:<BR /> what I can't get added correctly is peak measurements. I've tried some stats functions like max(count) or eval max=count but they end up null.<BR /> <B>Question</B>: How can I get this to correctly evaluate the peak count &amp; time that is shown in the sparkline?</P> <P><B>2nd problem</B>:<BR /> I can get the eventCodes to all stay in a single cell related to the account name, but I can't get the rest to obey the same principle.<BR /> <B>Question</B>: Is it even possible to format the table as I'm attempting to do? I can't seem to find via Google anyone that has tried to get the values of fields to actually line up with eachother.</P> Mon, 28 Sep 2020 18:32:57 GMT ltrand 2020-09-28T18:32:57Z https://community.splunk.com/t5/Getting-Data-In/Windows-Account-Activity-Reporting/m-p/169605#M34280 <P>I'm looking at creating a dashboard where I can generate standardized reports based on behaviors. To get started, I just want to provide a list of login activity by server to administrators to validate lookup lists as valid.</P> <P>What I'm trying to draw in a table is similar to this:</P> <PRE><CODE>Account Name: | Event Codes | Logon Type | Sparklines | Peak Count | Peak Time Joe Smith | 4624 | 3, 5, 6 | 4624 Spark | 4624 Peak | Time of 4624 peak | 4625 | 0 | 4625 Spark | 4625 Peak | Time of 4625 peak </CODE></PRE> <P>Right now I've got the base search figured out:</P> <P>sourcetype=WinEventLog:Security host=HostNameHere |stats values(EventCode) values(Logon_Type) sparkline(count(Account_Name)) count(Account_Name) by Account_Name | sort Account_Name</P> <P><B>1st problem</B>:<BR /> what I can't get added correctly is peak measurements. I've tried some stats functions like max(count) or eval max=count but they end up null.<BR /> <B>Question</B>: How can I get this to correctly evaluate the peak count &amp; time that is shown in the sparkline?</P> <P><B>2nd problem</B>:<BR /> I can get the eventCodes to all stay in a single cell related to the account name, but I can't get the rest to obey the same principle.<BR /> <B>Question</B>: Is it even possible to format the table as I'm attempting to do? I can't seem to find via Google anyone that has tried to get the values of fields to actually line up with eachother.</P> Mon, 28 Sep 2020 18:32:57 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Account-Activity-Reporting/m-p/169605#M34280 ltrand 2020-09-28T18:32:57Z https://community.splunk.com/t5/Getting-Data-In/Windows-Account-Activity-Reporting/m-p/169606#M34281 <P>1st problem:What is this?</P> <P>Sourcetype=WinEventLog:Security host=HostNameHere |stats values(EventCode) as Event_Codes values(Logon_Type) as Logon_Type sparkline by Account_Name | join Account_Name [search Sourcetype=WinEventLog:Security host=HostNameHere | bucket _time span=1m|stats count as peak_count by _time,Account_Name |dedup Account_Name sortby -peak_count |rename _time as peak_time]</P> <P>Notes: peak will only display only items first.</P> <P>2nd problem:I'm sorry. Problems I do not know well. Can you explain a little more detail?</P> Mon, 28 Sep 2020 18:30:10 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Account-Activity-Reporting/m-p/169606#M34281 HiroshiSatoh 2020-09-28T18:30:10Z