I am a learner to Splunk, as an initial requirement, just want to monitor the User's from windows ( AD Users ), when they logged in / activity performed by them / logout reason etc..Please guide if need more inputs on this. Possible to view the reports from GUI?
as I said, you need at first to take and parse logs from Windows servers.
You can do this deploying to your Domain Controllers the Splunk_TA_Windows (https://splunkbase.splunk.com/app/742/).
Before deploying it, you have to enable the inputs, you need, for this Use Case at least wineventlog:security.
I suppose that you already installed and configured your Universal Forwarders to send data to Splunk Enterprise.
In this way, you have logs for searching.
So you can run a simple search like this following:
index=wineventlog EventCode IN ("4624","4525","4634") | stats count BY EventCode
In this way you have the login, logout and logfail logs.
Thanks for assistance Giuseppe, to get on hand.
So GUI is not possible for my requirement right, as suggested by you, I will follow the videos to get more.
Could you please help me in better understanding of this command below.
index=wineventlog EventCode IN ("4624","4525","4634")
Anyway, your question is just a little vague because depends on what technologies you have as inputs, what's the purpose of your analysis, and what's your knowledge of Splunk.
In other words:
These aren't jobs to do via GUI, for this reason I ask you: what's you knowledge of Splunk getting data in and Splunk language (SPL)?
You need both of them.
You can find many videos about getting data in on Splunk YouTube Channel and the tutorial for SPL at https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial
Start with the data
Do you have it already ingested into Splunk?
Do you understand the data?
Can you write a search to find speed up interpretation of the data?
How do you want to represent the information you have obtained by analysing the data?