Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to create a dashboard with avg AUTHZ usage over 30 days, per host

bond77s
Explorer
‎10-07-2024 12:32 PM 
index= name  tag=name  NOT "health-*" words="Authentication words" OR MESSAGE_TEXT="Authentication word" | stats count by host | table host,count
Labels (1)
Labels
0 Karma
Reply

sainag_splunk
Splunk Employee
Splunk Employee
‎10-08-2024 09:10 AM

Some sample searches to start with as requested.
You can adjust the time spans and thresholds as needed. These queries should provide a foundation for your AUTHZ usage dashboard, balancing detail with performance.

  1. Total AUTHZ attempts:

 

index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word")

| stats count as Total



  1. Successful vs. failed authorizations:

 

```

index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word")

| stats count(eval(INFO="success" OR match(ERROR,"user failure"))) as Success, count as Total

| eval Failed = Total - Success

| eval Success_Rate = round((Success/Total)*100,2)

| table Success, Failed, Total, Success_Rate

```

 

  1. Authorization attempts by host:

 

```

index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word")

| stats count as Attempts by host

| sort -Attempts

| head 10

```

 

  1. Peak authorization times and average response time:

 

```

index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word")

| timechart span=15min count as Attempts avg(duration) as avg_duration perc95(duration) as p95_duration

| eval avg_duration=round(avg_duration/1000,2)

| eval p95_duration=round(p95_duration/1000,2)

```






If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
Reply

sainag_splunk
Splunk Employee
Splunk Employee
‎10-07-2024 12:51 PM

       1. You can start with your base search. 

  1. Add a time range and average calculation:
index=* tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word") | bucket _time span=1d | stats count as daily_count by host, _time | stats avg(daily_count) as avg_daily_count by host

 

        3. Create a dashboard and add a table panel using this search.

        4. Add visualizations like bar charts to represent the data graphically


Key Metrics to Track:

  • Total AUTHZ attempts
  • Successful vs. failed authorizations logins
  • Authorization attempts by host
  • Authorization attempts by user
  • Peak authorization times
  • Unusual patterns or anomalies

Dashboard Components:

  • Summary statistics panel
  • Time series graph of authorization attempts
  • Top hosts by authorization usage (table or bar chart)
  • Top users by authorization attempts (table or bar chart)
  • Geographical map of authorization attempts (if applicable)
  • Failed authorization attempts breakdown

 

  

Below Links should help you out.

Refer: https://docs.splunk.com/Documentation/Splunk/9.3.1/SearchTutorial/Createnewdashboard
https://www.splunk.com/en_us/resources/videos/create-dashboard-in-splunk-enterprise.html
https://splunkbase.splunk.com/app/1603


Hope this helps

 

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...