Dashboards & Visualizations

how to create a dashboard with avg AUTHZ usage over 30 days, per host

bond77s
Explorer
index= name  tag=name  NOT "health-*" words="Authentication words" OR MESSAGE_TEXT="Authentication word" | stats count by host | table host,count
Labels (1)
0 Karma

sainag_splunk
Splunk Employee
Splunk Employee

Some sample searches to start with as requested.
You can adjust the time spans and thresholds as needed. These queries should provide a foundation for your AUTHZ usage dashboard, balancing detail with performance.


  1. Total AUTHZ attempts:

 

index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word")

| stats count as Total



  1. Successful vs. failed authorizations:

 

```

index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word")

| stats count(eval(INFO="success" OR match(ERROR,"user failure"))) as Success, count as Total

| eval Failed = Total - Success

| eval Success_Rate = round((Success/Total)*100,2)

| table Success, Failed, Total, Success_Rate

```

 

  1. Authorization attempts by host:

 

```

index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word")

| stats count as Attempts by host

| sort -Attempts

| head 10

```

 

  1. Peak authorization times and average response time:

 

```

index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word")

| timechart span=15min count as Attempts avg(duration) as avg_duration perc95(duration) as p95_duration

| eval avg_duration=round(avg_duration/1000,2)

| eval p95_duration=round(p95_duration/1000,2)

```






sainag_splunk
Splunk Employee
Splunk Employee

       1. You can start with your base search. 

  1. Add a time range and average calculation:
index=* tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word") | bucket _time span=1d | stats count as daily_count by host, _time | stats avg(daily_count) as avg_daily_count by host

 

        3. Create a dashboard and add a table panel using this search.

        4. Add visualizations like bar charts to represent the data graphically


Key Metrics to Track:

  • Total AUTHZ attempts
  • Successful vs. failed authorizations logins
  • Authorization attempts by host
  • Authorization attempts by user
  • Peak authorization times
  • Unusual patterns or anomalies

Dashboard Components:

  • Summary statistics panel
  • Time series graph of authorization attempts
  • Top hosts by authorization usage (table or bar chart)
  • Top users by authorization attempts (table or bar chart)
  • Geographical map of authorization attempts (if applicable)
  • Failed authorization attempts breakdown

 

  

Below Links should help you out.

Refer: https://docs.splunk.com/Documentation/Splunk/9.3.1/SearchTutorial/Createnewdashboard
https://www.splunk.com/en_us/resources/videos/create-dashboard-in-splunk-enterprise.html
https://splunkbase.splunk.com/app/1603


Hope this helps

 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...