HI ,
I have query for login failure followed with lockout i can search the data and run in the search and reporting app but i am unable to save it as a dashboard . The dashboard shows waiting for inputs . Below is the search string .
earliest=-1d@d latest=@d index=wineventlog sourcetype=WinEventLog:Security EventCode="4740"
| eval Account=mvindex(Account_Name, 1)
| stats count, latest(_time) AS lastBlock by Account
| eval modtime=lastBlock - 7200
| fields - count
| map maxsearches=1000 search="search index=wineventlog sourcetype=WinEventLog:Security (EventCode="4625" OR EventCode="4768" OR EventCode="4771" OR EventCode="4776") earliest=$modtime$ latest=$lastBlock$ Account_Name=$Account$"
| eval Account=case(EventCode="4740" OR EventCode="4625", mvindex(Account_Name, 1), EventCode="4768" OR EventCode="4771", Account_Name, EventCode="4776", Logon_Account, 1=1, "Click-on-me")
| regex Account!="\\$"
| eval errorMessages=case(EventCode="4768", (EventCode."; ".Result_Code), EventCode="4771", (EventCode."; ".Failure_Code), EventCode="4776", (EventCode."; ".Error_Code), 1=1, "Click-on-me")
| stats count, latest(_time) AS lastFailure, values(Failure_Reason) AS failureReason, values(errorMessages) AS otherFailures by Account src_ip
| convert ctime(lastFailure)
| rename Account AS "Blocked Account", count AS LoginFailures
The error is due to the token being passed which doest not work in dashboard can someone help.
You are correct about the cause. To fix, edit the source XML and change all of your dollar-signs ('$') to double-dollar-signs ('$$'), like this: $$modtime$$
.
You are correct about the cause. To fix, edit the source XML and change all of your dollar-signs ('$') to double-dollar-signs ('$$'), like this: $$modtime$$
.
It worked thanks
You gotta change the dashboard to a form if your using anytype of input