Dashboards & Visualizations

How to build a dynamic dashboard for ad events?

Path Finder

Hi team!

I need a dashboard that shows when a windows account is blocked. Eventcode = 4740 but at the same time I want it to disappear if after a time it finds the Eventcode = 4767 (When the account has been unlocked)

I only want to show blocked accounts

It is possible to do something like that

This is what I have. Any advice?

index=main (EventCode=4740 AND EventCode!=4767) | stats values(host), values(EventCodeDescription), values(Nombre_de_cuenta),values(Nombre_de_equipo_del_autor_de_la_llamada), values(action) by _time 
| rename values(host) as "DC Server", values(EventCodeDescription) as Description, values(Nombre_de_cuenta) as "Nombre de la cuenta",values(Nombre_de_equipo_del_autor_de_la_llamada) as "Equipo que ha bloqueado la cuenta de usuario", values(action) as Action, _time as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)
0 Karma
1 Solution

Esteemed Legend

Like this:

index=main (EventCode="4740" OR EventCode="4767")
| eventsats first(EventCode) AS MostRecentEventCode BY user
| where MostRecentEventCode!="4767"
| stats count first(_raw) AS _raw first(_time) AS _time BY user

View solution in original post

Esteemed Legend

Like this:

index=main (EventCode="4740" OR EventCode="4767")
| eventsats first(EventCode) AS MostRecentEventCode BY user
| where MostRecentEventCode!="4767"
| stats count first(_raw) AS _raw first(_time) AS _time BY user

View solution in original post

Path Finder

Thanks for your answer.

I've tried but it's not working.

I have the case in which he shows me a blocking event (4740) but after 20 minutes an unlocking event appears(4767) so he should not be showing me the previous events. But it do.

Any ideas?

index=main (EventCode="4740" OR EventCode="4767")
| eventstats first(EventCode) AS MostRecentEventCode BY Nombre_de_cuenta
| where MostRecentEventCode!="4767"
| stats values(host), values(EventCodeDescription), values(Nombre_de_cuenta),values(Nombre_de_equipo_del_autor_de_la_llamada), values(action) by _time
| rename values(host) as "DC Server", values(EventCodeDescription) as Description, values(Nombre_de_cuenta) as "Nombre de la cuenta",values(Nombre_de_equipo_del_autor_de_la_llamada) as "Equipo que ha bloqueado la cuenta de usuario", values(action) as Action, _time as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)

0 Karma

Esteemed Legend

You might try swapping the 2 BY user portions for BY user host. The general concept is sound and will work but may require some adjustment.

0 Karma

Path Finder

I did that and works,

index=main (EventCode=4740 OR EventCode=4767)

| stats values(EventCode) as MostRecentEventCode, values(host) values(Nombre_de_equipo_del_autor_de_la_llamada), values(action), values(_time), values(name) by Nombre_de_cuenta | mvcombine delim="" MostRecentEventCode | nomv MostRecentEventCode
| where MostRecentEventCode!="4767" AND MostRecentEventCode!="4740 4767" | rename values(host) as "DC Server", values(name) as Description, Nombre_de_cuenta as "Nombre de la cuenta",values(Nombre_de_equipo_del_autor_de_la_llamada) as "Equipo que ha bloqueado la cuenta de usuario", values(action) as Action, values(_time) as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)
| table "Nombre de la cuenta" "Equipo que ha bloqueado la cuenta de usuario" Description Action Date

| mvcombine delim="" MostRecentEventCode | nomv MostRecentEventCode

It works! Thank you

0 Karma

Path Finder

I have an idea!

With this I have events with 2 EventCode

index=main (EventCode="4740" OR EventCode="4767") | eventstats first(EventCode) AS MostRecentEventCode BY Nombre_de_cuenta
| stats values(_time), values(EventCode) by Nombre_de_cuenta

And if I merge the two eventcodes into a single field and get something like "47404767"

So I can do | where MostRecentEventCode!="4767" or MostRecentEventCode!="47404767"

Can I do it? How?

0 Karma

SplunkTrust
SplunkTrust

@christianubeda,

Does this work for you ?

index=main (EventCode=4740 OR EventCode=4767) 
|stats latest(Eventcode ) as Eventcode ... "other required fields here"  by Account_Field_Name
|where Eventcode=4740
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!