index= name tag=name NOT "health-*" words="Authentication words" OR MESSAGE_TEXT="Authentication word" | stats count by host | table host,count
Some sample searches to start with as requested.
You can adjust the time spans and thresholds as needed. These queries should provide a foundation for your AUTHZ usage dashboard, balancing detail with performance.
index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word")
| stats count as Total
```
index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word")
| stats count(eval(INFO="success" OR match(ERROR,"user failure"))) as Success, count as Total
| eval Failed = Total - Success
| eval Success_Rate = round((Success/Total)*100,2)
| table Success, Failed, Total, Success_Rate
```
```
index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word")
| stats count as Attempts by host
| sort -Attempts
| head 10
```
```
index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word")
| timechart span=15min count as Attempts avg(duration) as avg_duration perc95(duration) as p95_duration
| eval avg_duration=round(avg_duration/1000,2)
| eval p95_duration=round(p95_duration/1000,2)
```
1. You can start with your base search.
3. Create a dashboard and add a table panel using this search.
4. Add visualizations like bar charts to represent the data graphically
Key Metrics to Track:
Dashboard Components:
Below Links should help you out.
Refer: https://docs.splunk.com/Documentation/Splunk/9.3.1/SearchTutorial/Createnewdashboard
https://www.splunk.com/en_us/resources/videos/create-dashboard-in-splunk-enterprise.html
https://splunkbase.splunk.com/app/1603
Hope this helps