https://community.splunk.com/t5/Dashboards-Visualizations/Dashboard-for-login-failure-followed-by-lockout/m-p/310662#M19860 <P>It worked thanks</P> Sun, 19 Feb 2017 08:44:54 GMT himapate 2017-02-19T08:44:54Z https://community.splunk.com/t5/Dashboards-Visualizations/Dashboard-for-login-failure-followed-by-lockout/m-p/310659#M19857 <P>HI ,</P> <P>I have query for login failure followed with lockout i can search the data and run in the search and reporting app but i am unable to save it as a dashboard . The dashboard shows waiting for inputs . Below is the search string .</P> <PRE><CODE>earliest=-1d@d latest=@d index=wineventlog sourcetype=WinEventLog:Security EventCode="4740" | eval Account=mvindex(Account_Name, 1) | stats count, latest(_time) AS lastBlock by Account | eval modtime=lastBlock - 7200 | fields - count | map maxsearches=1000 search="search index=wineventlog sourcetype=WinEventLog:Security (EventCode="4625" OR EventCode="4768" OR EventCode="4771" OR EventCode="4776") earliest=$modtime$ latest=$lastBlock$ Account_Name=$Account$" | eval Account=case(EventCode="4740" OR EventCode="4625", mvindex(Account_Name, 1), EventCode="4768" OR EventCode="4771", Account_Name, EventCode="4776", Logon_Account, 1=1, "Click-on-me") | regex Account!="\\$" | eval errorMessages=case(EventCode="4768", (EventCode."; ".Result_Code), EventCode="4771", (EventCode."; ".Failure_Code), EventCode="4776", (EventCode."; ".Error_Code), 1=1, "Click-on-me") | stats count, latest(_time) AS lastFailure, values(Failure_Reason) AS failureReason, values(errorMessages) AS otherFailures by Account src_ip | convert ctime(lastFailure) | rename Account AS "Blocked Account", count AS LoginFailures </CODE></PRE> <P>The error is due to the token being passed which doest not work in dashboard can someone help.</P> Sat, 18 Feb 2017 05:26:00 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Dashboard-for-login-failure-followed-by-lockout/m-p/310659#M19857 himapate 2017-02-18T05:26:00Z https://community.splunk.com/t5/Dashboards-Visualizations/Dashboard-for-login-failure-followed-by-lockout/m-p/310660#M19858 <P>You gotta change the dashboard to a form if your using anytype of input </P> Sat, 18 Feb 2017 20:58:37 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Dashboard-for-login-failure-followed-by-lockout/m-p/310660#M19858 skoelpin 2017-02-18T20:58:37Z https://community.splunk.com/t5/Dashboards-Visualizations/Dashboard-for-login-failure-followed-by-lockout/m-p/310661#M19859 <P>You are correct about the cause. To fix, edit the source XML and change all of your dollar-signs ('$') to double-dollar-signs ('$$'), like this: <CODE>$$modtime$$</CODE>.</P> Sat, 18 Feb 2017 22:33:02 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Dashboard-for-login-failure-followed-by-lockout/m-p/310661#M19859 woodcock 2017-02-18T22:33:02Z https://community.splunk.com/t5/Dashboards-Visualizations/Dashboard-for-login-failure-followed-by-lockout/m-p/310662#M19860 <P>It worked thanks</P> Sun, 19 Feb 2017 08:44:54 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Dashboard-for-login-failure-followed-by-lockout/m-p/310662#M19860 himapate 2017-02-19T08:44:54Z