- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Visualization limit
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
with the search below I identify the account locked-out - I am using "column chart" output and under visualization format there is no limit but as result only ten Account names are displayed. I have no idea where this limit has been introduced and I need to display all Account locked-out
Thank you in advance for the attention given
index=wineventlog source="WinEventLog:Security" sourcetype="WinEventLog:Security" Account_Name="*" EventCode=4740 OR EventCode=644 AND Account_Name!=Guest AND Account_Name!=Administrator AND Account_Name!=Anonymous | eval Account_Name = mvindex(Account_Name,1) | eval Security_ID = mvindex(Security_ID,1) | timechart span=1h useother=f count by Account_Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Try this
index=wineventlog source="WinEventLog:Security" sourcetype="WinEventLog:Security" Account_Name="*" EventCode=4740 OR EventCode=644 AND Account_Name!=Guest AND Account_Name!=Administrator AND Account_Name!=Anonymous | eval Account_Name = mvindex(Account_Name,1) | eval Security_ID = mvindex(Security_ID,1) | timechart limit=0 span=1h useother=f count by Account_Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Try this
index=wineventlog source="WinEventLog:Security" sourcetype="WinEventLog:Security" Account_Name="*" EventCode=4740 OR EventCode=644 AND Account_Name!=Guest AND Account_Name!=Administrator AND Account_Name!=Anonymous | eval Account_Name = mvindex(Account_Name,1) | eval Security_ID = mvindex(Security_ID,1) | timechart limit=0 span=1h useother=f count by Account_Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
The timechart command has a limit option, I thought the default was documented, but don't see it in the docs. This earlier answer states the default is 10.
Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Yep like Dave said there is a limit=X option for timechart. Timechart can be a bear to display properly. Depending on the time range the search is run in, I often have to slice it into bigger slices using span= as well as limit.
So. If you're doing a 30 day search your timechart might look like this to get the top 50 accounts per day.
| timechart span=1d useother=f limit=50 count by Account_Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Thank you Dave
It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!
Review:
SOAR (f.k.a. Phantom) >>
Enterprise Security >>
Splunk Enterprise or Cloud for Security >>
Observability >>
Or Learn More in Our Blog >>
