Hi Splunker;
I have the following search:
| from datamodel:Authentication.Failed_Authentication
|search action=failure | search (signature="An account failed to log on" OR signature="Failed Login" OR app=gdm-password OR app=sap:http OR app=sshd OR app=su OR app=su-l OR app=sudo OR app=authmgr OR app=cisco:ios OR app=syslog OR app=oracle) | search user!=Rutsadmin OR user!=adaudit OR user!=adminaa OR user!=exchRplus OR user!=slomadmin OR user!=splunk OR user!=zakat OR user!=zulfeqar OR user!=zulfi OR user!=zulfiadmin
| rex field=user "(?PRutsadmin|adaudit|adminaa|exchRplus|slomadmin|splunk|zakat|zulfeqar|zulfi\w+|zulfi)" | stats count(action) as "count failed normal user" count(user1) as "count failed admin user" | transpose
I need to display count number on pie chart for each "count failed normal user" and "count failed admin user".
I want your support on that.
A few things...
First, be sure to put your search in the code blocks here. Otherwise things like the capture group in your regex get stripped out, so we have to guess what was there.
Second, not sure if this search is a work in progress, but the last search command doesn't make a lot of sense from a boolean perspective - combining a bunch of user!=xxx with OR's sort of defeats the purpose doing anything there. Maybe you meant to AND them together....but then that wouldn't really make sense since you seem to want to include admin users in your results.
Third, when wanting to use a pie chart, it's probably easiest to stuff all of the different values you want into one field and then do a stats count against that field.
Again, kinda hard to determine exactly what you're after just based on your search, but maybe something like this will work or get you closer.
| from datamodel:Authentication.Failed_Authentication
|search action=failure
| search (signature="An account failed to log on" OR signature="Failed Login" OR app=gdm-password OR app=sap:http OR app=sshd OR app=su OR app=su-l OR app=sudo OR app=authmgr OR app=cisco:ios OR app=syslog OR app=oracle)
| eval user_type = if(match(user,"Rutsadmin|adaudit|adminaa|exchRplus|slomadmin|splunk|zakat|zulfeqar|zulfi\w+|zulfi"),"admin","normal")
| stats count by user_type
Thank you for your reply and clarification;
I need to display on pie chart count failed login for each fields, I don't need display count failed login for each results.
Regards;
I don't understand what you're asking for exactly. Can you figure out the search you need based on the example i provided?
I thought you wanted a count based on normal vs admin users. If that's not the case and you need more help, please tell me exactly which fields you need in the pie chart.
Thank you;
I have benefited a lot from your search, and after implemented it and added some command for your search for become as the following:
| from datamodel:Authentication.Failed_Authentication
|search action=failure
| search (signature="An account failed to log on" OR signature="Failed Login" OR app=gdm-password OR app=sap:http OR app=sshd OR app=su OR app=su-l OR app=sudo OR app=authmgr OR app=cisco:ios OR app=syslog OR app=oracle)
| eval user_type = if(match(user,"Rutsadmin|adaudit|adminaa|exchRplus|slomadmin|splunk|zakat|zulfeqar|zulfi\w+|zulfi"),"failed admin user","failed normal user")
| stats count by user_type | eval signature_slice = "Count: " + count + ", " + user_type | fields signature_slice count
Now I have another ask, is there way for control color for signature_slice field that has variable results?
if this is in a dashboard you should be able to use the charting.seriesColor option for your chart in the simple xml
https://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference
For example:
<option name="charting.seriesColors">[0x6a5c9e, 0x31a35f]</option>