Hi,
Actually I have 4 dashboard panels of Active Directory but only two are showing information. And two are waiting for input. The source code of form view is given below:
AD Auth Report
Passed Logins
<input type="multiselect" searchWhenChanged="true" token="mv5">
<default>[object Object]</default>
</input>
<panel>
<table>
<title>Passed Logins</title>
<searchString>index = windows NOT Account_Name="*$" Account_Domain != - AND Account_Domain != EU EventCode=4634 | stats count by Account_Domain , Account_Name</searchString>
</table>
</panel>
<panel>
<event>
<title>Passed Non EU Account</title>
<searchString>index=windows EventCode=4624 | mvexpand Account_Name | mvexpand Account_Domain | search Account_Name!="*$" NOT Account_Name = "#*" Account_Domain != EU Account_Domain != NT* NOT Account_Name = "*$" Account_Name !="-" Account_Domain !="-" | stats count by Account_Name , Account_Domain</searchString>
<earliestTime>-24h@h</earliestTime>
<latestTime>now</latestTime>
<option name="wrap">true</option>
<option name="rowNumbers">0</option>
<option name="dataOverlayMode">none</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="count">10</option>
<fields>["host","source","sourcetype"]</fields>
</event>
</panel>
<panel>
<table>
<title>Failed User Logon in last 24 Hrs</title>
<searchString>index=windows EventCode=4625 | rex "(?ms)Failure Information.+?Failure Reason:\s+(?<failure_information>\V+)" | stats count by ComputerName , Workstation_Name, user , Source_Network_Address, failure_information, signature | sort -count</searchString>
<earliestTime>-24h@h</earliestTime>
<latestTime>now</latestTime>
</table>
</panel>
<panel>
<event>
<title>Passed Non EU Accounts</title>
<searchName>Passed Non EU Accounts</searchName>
<searchString>index=windows EventCode=4624 | mvexpand Account_Name | mvexpand Account_Domain | search Account_Name!="*$" NOT Account_Name = "#*" Account_Domain != EU Account_Domain != NT* NOT Account_Name = "*$" Account_Name !="-" Account_Domain !="-" | stats count by Account_Name , Account_Domain</searchString>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="count">10</option>
<fields>["host","source","sourcetype"]</fields>
</event>
</panel>
Escape your dollar signs with a second dollar sign.
Your panels work when there is only a single dollar sign... but when there is a second dollar sign somewhere else in the search (see your 2nd and 4th search) Splunk sees that as a (huge) $variable_name$
. When you use $$
that becomes escaped similar to backslashes in strings or regexes.
Escape your dollar signs with a second dollar sign.
Your panels work when there is only a single dollar sign... but when there is a second dollar sign somewhere else in the search (see your 2nd and 4th search) Splunk sees that as a (huge) $variable_name$
. When you use $$
that becomes escaped similar to backslashes in strings or regexes.