Dashboards & Visualizations

Dashboard for login failure followed by lockout

himapate
Explorer

HI ,

I have query for login failure followed with lockout i can search the data and run in the search and reporting app but i am unable to save it as a dashboard . The dashboard shows waiting for inputs . Below is the search string .

earliest=-1d@d latest=@d index=wineventlog sourcetype=WinEventLog:Security EventCode="4740" 
 | eval Account=mvindex(Account_Name, 1)
 | stats count, latest(_time) AS lastBlock by Account
 | eval modtime=lastBlock - 7200
 | fields - count
 | map maxsearches=1000 search="search index=wineventlog sourcetype=WinEventLog:Security (EventCode="4625" OR EventCode="4768" OR EventCode="4771" OR EventCode="4776") earliest=$modtime$ latest=$lastBlock$ Account_Name=$Account$"
 | eval Account=case(EventCode="4740" OR EventCode="4625", mvindex(Account_Name, 1), EventCode="4768" OR EventCode="4771", Account_Name, EventCode="4776", Logon_Account, 1=1, "Click-on-me")
 | regex Account!="\\$"
 | eval errorMessages=case(EventCode="4768", (EventCode."; ".Result_Code), EventCode="4771", (EventCode."; ".Failure_Code), EventCode="4776", (EventCode."; ".Error_Code), 1=1, "Click-on-me")
 | stats count, latest(_time) AS lastFailure, values(Failure_Reason) AS failureReason, values(errorMessages) AS otherFailures by Account src_ip 
 | convert ctime(lastFailure) 
 | rename Account AS "Blocked Account", count AS LoginFailures

The error is due to the token being passed which doest not work in dashboard can someone help.

0 Karma
1 Solution

woodcock
Esteemed Legend

You are correct about the cause. To fix, edit the source XML and change all of your dollar-signs ('$') to double-dollar-signs ('$$'), like this: $$modtime$$.

View solution in original post

0 Karma

woodcock
Esteemed Legend

You are correct about the cause. To fix, edit the source XML and change all of your dollar-signs ('$') to double-dollar-signs ('$$'), like this: $$modtime$$.

0 Karma

himapate
Explorer

It worked thanks

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You gotta change the dashboard to a form if your using anytype of input

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...