Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Error parsing dashboard XML: The URI to be decoded...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Error parsing dashboard XML: The URI to be decoded is not a valid encoding. Go to "Edit Source" to fix
connorgoldenNav
New Member
07-31-2019
10:05 AM
Windows Overview Dashboard error.
Error parsing dashboard XML: The URI to be decoded is not a valid encoding. Go to "Edit Source" to fix
Source:
Windows Overview - v2.4
<panel>
<html>
<h1>
<center>General Information System Statistics Panel</center>
</h1>
</html>
<single>
<title>Active Users</title>
<search>
<query>index=winevents EventCode=4624 OR EventCode=528 |dedup user |stats count(user)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="numberPrecision">0</option>
<option name="trendColorInterpretation">standard</option>
<option name="underLabel">Number of Active Users</option>
<option name="useColors">0</option>
<option name="drilldown">none</option>
</single>
<single>
<title>Total AD Users</title>
<search>
<query>|inputlookup AD_Users.csv |stats count(DisplayName)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="trendColorInterpretation">standard</option>
<option name="useColors">1</option>
<option name="underLabel">Total Users</option>
<option name="drilldown">none</option>
<option name="rangeColors">["0xd93f3c","0x555"]</option>
<option name="rangeValues">[0]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">auto</option>
<option name="useThousandSeparators">1</option>
<option name="linkView">search</option>
</single>
<single>
<title>Active Hosts</title>
<search>
<query>index=winevents |dedup host |stats count(host)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="numberPrecision">0</option>
<option name="trendColorInterpretation">standard</option>
<option name="useColors">0</option>
<option name="underLabel">Number of Active Hosts</option>
<option name="drilldown">none</option>
</single>
<single>
<title>Total AD Hosts</title>
<search>
<query>|inputlookup AD_Hosts.csv |stats count(DisplayName)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="trendColorInterpretation">standard</option>
<option name="useColors">1</option>
<option name="underLabel">Total Hosts</option>
<option name="drilldown">none</option>
<option name="rangeColors">["0xd93f3c","0x555"]</option>
<option name="rangeValues">[0]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">auto</option>
<option name="useThousandSeparators">1</option>
<option name="linkView">search</option>
</single>
</panel>
<panel>
<html>
<h1>
<center>User Account Action Panel</center>
</h1>
</html>
<single>
<title>Newly Created Accounts</title>
<search>
<query>index=winevents EventCode=4720 OR EventCode=624 | chart dc(user)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">New Accounts</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=4720 OR EventCode=624 | eval PerByAcct_7=mvindex(Account_Name,0) | eval PerByAcct_XP=Caller_User_Name| eval PerByAcct=coalesce(PerByAcct_7,PerByAcct_XP)| table EventCode, signature, PerByAcct, user, host, _time | rename PerByAcct AS "Preformed By", user AS "Preformed To"</link>
</drilldown>
<option name="linkView">search</option>
<option name="drilldown">all</option>
</single>
<single>
<title>Account Modifications</title>
<search>
<query>index=winevents EventCode=625 OR EventCode=626 OR EventCode=629 OR EventCode=4722 OR EventCode=4725 | chart count</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">Account Modifications</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=625 OR EventCode=626 OR EventCode=629 OR EventCode=4722 OR EventCode=4725| eval PerByAcct_7=mvindex(Account_Name,0) | eval PerByAcct_XP=Caller_User_Name| eval PerByAcct=coalesce(PerByAcct_7,PerByAcct_XP)| table EventCode, signature, PerByAcct, user, host, _time | rename PerByAcct AS "Preformed By", user AS "Preformed To"</link>
</drilldown>
</single>
<single>
<title>Accounts Deleted</title>
<search>
<query>index=winevents EventCode=630 OR EventCode=4726 |chart count</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">auto</option>
<option name="underLabel">Accounts Deleted</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=630 OR EventCode=4726 | eval PerByAcct_7=mvindex(Account_Name,0) | eval PerByAcct_XP=Caller_User_Name| eval PerByAcct=coalesce(PerByAcct_7,PerByAcct_XP)| table EventCode, signature, PerByAcct, user, host, _time | rename PerByAcct AS "Preformed By", user AS "Preformed To"</link>
</drilldown>
</single>
<single>
<title>Password Changes</title>
<search>
<query>index=winevents EventCode=627 OR EventCode=4723 OR EventCode=628 OR EventCode=4724 Account_Name!=*$ |chart count</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">auto</option>
<option name="underLabel">Password Changes</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=627 OR EventCode=4723 OR EventCode=628 OR EventCode=4724 Account_Name!=*$ | eval PerByAcct_7=mvindex(Account_Name,0) | eval PerByAcct_XP=Caller_User_Name| eval PerByAcct=coalesce(PerByAcct_7,PerByAcct_XP)| table EventCode, signature, PerByAcct, user, host, _time | rename PerByAcct AS "Preformed By", user AS "Preformed To"</link>
</drilldown>
</single>
<single>
<title>Account Lockouts</title>
<search>
<query>index=winevents EventCode=644 OR EventCode=4740|chart count</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">auto</option>
<option name="underLabel">Account Lockouts</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=644 OR EventCode=4740 | table EventCode, signature, user, host, _time</link>
</drilldown>
</single>
</panel>
<panel>
<html>
<h1>
<center>Computer Account Actions Panel</center>
</h1>
<h3>
<center>(Investigate any actions that appear here)</center>
</h3>
</html>
<single>
<title>Newly Created Computers</title>
<search>
<query>index=winevents EventCode=4741 OR EventCode=645 | stats count(host)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">New Computers</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=4741 OR EventCode=645 | table EventCode, signature, host, user, _time</link>
</drilldown>
</single>
<single>
<title>Recently Deleted Computers</title>
<search>
<query>index=winevents EventCode=4743 OR EventCode=647 | stats count(host)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">Deleted Computers</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=4743 OR EventCode=647 | table EventCode, signature, host, user, _time</link>
</drilldown>
</single>
<single>
<title>Group Policy Errors</title>
<search>
<query>index=winevents EventCode=1202 | stats count(host)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">Group Policy Errors</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=1202 | stats count sparkline AS Trend by host | sort - count</link>
</drilldown>
</single>
<single>
<title>Shutdowns Computer</title>
<search>
<query>index=winevents EventCode=4609 OR EventCode=513 | stats count(host)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,3,5]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-24h</option>
<option name="underLabel">Shutdowns</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=4609 OR EventCode=513 | table EventCode, signature, host, user, _time</link>
</drilldown>
</single>
</panel>
<panel>
<single>
<title>Missing Forwaders</title>
<search>
<query>| metadata type=hosts index=winevents | table host, lastTime | eval Checkin = relative_time(now(),"-2h") | where lastTime < Checkin | convert ctime(lastTime) as lastTime | stats count(host)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">Missing Forwaders</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=| metadata type=hosts index=winevents | table host, lastTime | eval Checkin = relative_time(now(),"-2h") | where lastTime < Checkin | convert ctime(lastTime) as lastTime| table host, lastTime | sort - lastTime</link>
</drilldown>
<option name="linkView">search</option>
<option name="drilldown">all</option>
</single>
<single>
<title>Software Installs</title>
<search>
<query>index=winevents SourceName=MsiInstaller EventCode=11707 host="*" | stats count(host)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">Software Installs</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<drilldown target="new">
<link>/app/IA_Overview/SW_Detailed</link>
</drilldown>
</single>
<single>
<title>Software Uninstalls</title>
<search>
<query>index=winevents SourceName=MsiInstaller EventCode=11724 host="*" | stats count(host)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">Software Uninstalls</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<option name="linkView">search</option>
<option name="linkView">search</option>
<option name="linkFields">result</option>
<drilldown target="new">
<link>/app/IA_Overview/SW_Detailed</link>
</drilldown>
</single>
<single>
<title>AV Updates</title>
<search>
<query>index=winevents EventCode=7 EventType=4 latest=now earliest=-30d@d| stats first(1) by host| stats count(host)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0xd93f3c","0x65a637"]</option>
<option name="rangeValues">[0]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">AV Updates</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<option name="linkView">search</option>
<option name="linkView">search</option>
<option name="linkFields">result</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=7 EventType=4 | stats count sparkline AS Trend by host| sort + Date</link>
</drilldown>
</single>
</panel>
<panel>
<html>
<h1>
<center>Data Loss Protection Action Panel</center>
</h1>
<h3>
<center>(Investigate any actions that appear here)</center>
</h3>
</html>
<single>
<title>File Shadow Reads</title>
<search>
<query>index=winevents sourcetype="WinEventLog:System" SourceName=scomc EventCode=26 | transaction _time, host, user | stats count</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">Shadow Reads</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<option name="linkView">search</option>
<option name="linkView">search</option>
<option name="linkFields">result</option>
<drilldown target="new">
<link>/app/IA_Overview/DLP_Detailed</link>
</drilldown>
</single>
<single>
<title>File Shadow Writes</title>
<search>
<query>index=winevents sourcetype="WinEventLog:System" SourceName=scomc EventCode=25 | transaction _time, host, user | stats count</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-24h</option>
<option name="underLabel">Shadow Writes</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<option name="linkView">search</option>
<option name="linkView">search</option>
<option name="linkFields">result</option>
<drilldown target="new">
<link>/app/IA_Overview/DLP_Detailed</link>
</drilldown>
</single>
<single>
<title>File Failed Reads</title>
<search>
<query>index=winevents sourcetype="WinEventLog:System" SourceName=scomc EventCode=18 | transaction _time, host, user | stats count</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-24h</option>
<option name="underLabel">Failed Reads</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<option name="linkView">search</option>
<option name="linkView">search</option>
<option name="linkFields">result</option>
<drilldown target="new">
<link>/app/IA_Overview/DLP_Detailed</link>
</drilldown>
</single>
<single>
<title>File Failed Writes</title>
<search>
<query>index=winevents sourcetype="WinEventLog:System" SourceName=scomc EventCode=19 | transaction _time, host, user| stats count</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-24h</option>
<option name="underLabel">Failed Writes</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<option name="linkView">search</option>
<option name="linkView">search</option>
<option name="linkFields">result</option>
<drilldown target="new">
<link>/app/IA_Overview/DLP_Detailed</link>
</drilldown>
</single>
<single>
<title>Media/Device Actions</title>
<search>
<query>index=winevents sourcetype="WinEventLog:System" SourceName=scomc (EventCode=14 OR EventCode=16) | transaction _time, host, user| stats count</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-24h</option>
<option name="underLabel">Media/Device Actions</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<option name="linkView">search</option>
<option name="linkView">search</option>
<option name="linkFields">result</option>
<drilldown target="new">
<link>/app/IA_Overview/DLP_Detailed</link>
</drilldown>
</single>
</panel>
<panel>
<title>Failed Logon Panel</title>
<single>
<title>Failed Logons</title>
<search>
<query>index=winevents EventCode=4625 OR EventCode=529 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=535 OR EventCode=537 | stats count</query>
</search>
<option name="colorBy">trend</option>
<option name="colorMode">none</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-24h</option>
<option name="underLabel">Failed Logins</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<option name="linkView">search</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=4625 OR EventCode=529 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=535 OR EventCode=537 | stats count sparkline AS Trend by user, signature | sort - count</link>
</drilldown>
</single>
<table>
<title>Failed Logons for Unknown Accounts</title>
<search>
<query>index=winevents sourcetype="WinEventLog:Security" (EventCode=4625 Sub_Status=0xC0000064) OR (EventCode=529) |eval Date=strftime(_time, "%Y/%m/%d") |rex "Which\sLogon\sFailed:\s+Security\sID:\s+\S.*\s+\w+\s\w+\S\s.(?<facct>\S.*)" | eval uacct=coalesce(facct,User_Name)| stats count sparkline AS Trend by uacct, host | rename count as "Attempts", uacct as "Account" | sort - Attempts</query>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
<format type="sparkline"
field="Trend">
<option name="lineColor">#5379af</option>
<option name="fillColor">#CCDDFF</option>
<option name="lineWidth">1</option>
<option name="height">25px</option>
</format>
</table>
</panel>
<panel>
<title>After Hours Panel</title>
<single>
<title>After Hours Logins (Before 6 AM or After 6 PM)</title>
<search>
<query>index=winevents EventCode=4624 OR EventCode=528 Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11 | eval logon_hour=strftime(_time, "%H") | where (logon_hour > 18 OR logon_hour < 6) | stats count</query>
</search>
<option name="colorBy">trend</option>
<option name="colorMode">none</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-24h</option>
<option name="underLabel">After Hours Logins</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<option name="linkView">search</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=528 Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11 | eval logon_hour=strftime(_time, "%H") | where (logon_hour > 18 OR logon_hour < 6) | stats count sparkline AS Trend by user, host | rename count as "Attempts", user as "Account" | sort - Attempts</link>
</drilldown>
</single>
<table>
<title>After Hours Logins</title>
<search>
<query>index=winevents sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=528 Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11 | eval logon_hour=strftime(_time, "%H") | where (logon_hour > 18 OR logon_hour < 6) | stats count sparkline AS Trend by user, host | rename count as "Attempts", user as "Account" | sort - Attempts</query>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
<format field="Trend"
type="sparkline">
<option name="lineWidth">1</option>
<option name="lineColor">#5379af</option>
<option name="fillColor">#CCDDFF</option>
<option name="height">25px</option>
</format>
</table>
</panel>
<panel>
<table>
<title>Domain Admin Activity</title>
<search>
<query>index=winevents EventCode=4624 [|inputlookup AD_Groups.csv| search group_name="Domain Admins" |table member_name| rename member_name AS user]|stats count sparkline AS Trend by user | sort - count</query>
<earliest>-90d@d</earliest>
<latest>now</latest>
</search>
<format field="Trend"
type="sparkline">
<option name="lineWidth">1</option>
<option name="lineColor">#5379af</option>
<option name="fillColor">#CCDDFF</option>
<option name="height">25px</option>
</format>
<drilldown target="new">
<link>/app/IA_Overview/Win_Priv_Detail?form.usertok=$click.value2$</link>
</drilldown>
</table>
</panel>
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
Cisco Live 2026 is almost here, and this ...
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Hello Splunkers,
So you searched, “what is the name of the usb key inserted by bob smith?”
Not gonna lie… ...
Automating Threat Operations and Threat Hunting with Recorded Future
Automating Threat Operations and Threat Hunting
with Recorded Future
June 29, 2026 | Register
Is your ...
