topic Re: How to create a search bar on a dashboard in Splunk Search

How to create a search bar on a dashboard

sadkha — Thu, 14 Aug 2014 20:05:48 GMT

Hello, thank you for reading this!

I am working on some searches for AD data, specfically looking at Failed Logins and Acccount Lockouts. I wrote a query that returns the results of all event codes for the aforementioned events, grouped by Account Lockout events. I'd like for other users to log onto this dashboard, and by simply typing in the "Account_Name" (as it appears in the log) return all the lockout/failed login values for a particular account.

I've been trying to create this search bar using the simple XML edit, however I havent been successful. any help would be greatly appreciated!

My search query looks like this:

search index=auth_ad sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:security" "EventCode=4740" OR "EventCode=644" OR (EventCode=4771 AND "Audit Failure") OR ("EventCode=672" AND Type="Failure Audit") OR "EventCode=675" | eval "User Account"=coalesce(User_Name,Account_Name) | eval Win2K8_acc = mvindex(Account_Name,1) | eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) | transaction Account_Name startswith="EventCode=4740"

Again any advice would be greatly appreciated!

Re: How to create a search bar on a dashboard

somesoni2 — Thu, 14 Aug 2014 20:17:31 GMT

Try something like this. (provides a textbox and submit button. Textbox for users to input AccountName)

<form>
  <label>Search by Account Name</label> 
  <description /> 
<fieldset submitButton="true">
<input type="text" token="accountName" >
  <label>Account Name</label> 
  <default></default> 
  </input>
  </fieldset>
<row>
<event>
  <title> Failed Logins and Acccount Lockouts</title>
  <searchString>
  index=auth_ad sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:security" "EventCode=4740" OR "EventCode=644" OR (EventCode=4771 AND "Audit Failure") OR ("EventCode=672" AND Type="Failure Audit") OR "EventCode=675" | eval "User Account"=coalesce(User_Name,Account_Name) | search "User Accont"="$accountName$"| eval Win2K8_acc = mvindex(Account_Name,1) | eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) | transaction Account_Name startswith="EventCode=4740"
  </searchString> 
  <option name="showPager">true</option>
  <option name="count">20</option>
  <option name="displayRowNumbers">false</option>
</event>
  </row>
  </form>

Re: How to create a search bar on a dashboard

somesoni2 — Mon, 28 Sep 2020 17:20:57 GMT

The token name can be different from actual field name in the logs as we just replace the value of the token in the search. I see your have a eval statement '| eval "User Account"=coalesce(User_Name,Account_Name)' but in rest of the search you use Account_Name instead. If "User Account" field is not to be used then replace '| search "User Accont"="$accountName$"' with '| search Account_Name="$accountName$"' and try

Re: How to create a search bar on a dashboard

sadkha — Wed, 20 Aug 2014 17:30:11 GMT

this worked perfectly. thank you for your help! much appreciated!