I have a quick question regarding dashboard. I would like to know if the search queries I have provided on dashboard panels can be applied after I input some value such as a user name. What I mean is that based on the username I provide on search head or wherever, the panels will give results. In other words, theses panels will give different results based on the username. Basically, I want to create a dashboard which summarize user activity.
Search queries I'm using are:
%Windows failed logins (count and source)
Keywords="Audit Failure" (EventCode=4625 OR EventCode=4771) |stats count by user dst src|fields user src dest count|rename dst as System|sort -count
%Windows failed logins (times)
Keywords="Audit Failure" (EventCode=4625 OR EventCode=4771) | bucket _time span=1h | stats count by _time user