- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- SPL search string to visualize logon data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SPL search string to visualize logon data
Please forgive me, I am new to Splunk.
I'm trying to create a dashboard that visualizes successful/failures logins. I don't have anyone I work with that's a professional or even knowledgeable/experienced enough to help. So, I started to use ChatGPT to help develop these strings. After I got the base setup from ChatGPT, I tried to fill in the sourcetypes. But now I'm getting this error:
Error in 'EvalCommand': The expression is malformed.
Please let me know what I need to do to fix this. Ask away please. It'll only help me get better.
index=ActiveDirectory OR index=WindowsLogs OR index=WinEventLog
(
(sourcetype=WinEventLog (EventCode=4624 OR EventCode=4625)) # Windows logon events
OR
(sourcetype=ActiveDirectory "Logon" OR "Failed logon") # Active Directory logon events (adjust keywords if needed)
)
| eval LogonType=case(
EventCode=4624, "Successful Windows Login",
EventCode=4625, "Failed Windows Login",
searchmatch("Logon"), "Successful AD Login",
searchmatch("Failed logon"), "Failed AD Login"
)
| eval user=coalesce(Account_Name, user) # Combine Account_Name and user fields
| eval src_ip=coalesce(src_ip, host) # Unify source IP or host
| stats count by LogonType, user, src_ip
| sort - count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
YES! That's what I'm looking. I have both windows and RHEL machines. I'm using the Cisco network app to track logins to the network on there if that makes sense. I'd like to have it do logins over the course of 7 days with the top 5 users like you were saying. That just makes sense. I'm learning a bunch of stuff.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The exact search to produce a visualization would depend on which fields are extracted for your logs. Assuming they are normalized such that e.g. the field "user" and the field "status" are the same between the Windows and RHEL logs, then you could find the 5 users with the most failed logins for the past week with:
index=<yourwindowslogindex> OR index=<yourlinuxlogindex> earliest=-7d status="failed"
| top limit=5 user
If the fields are not normalized, then you may need to extract them. In this case could you post some sanitized samples of the successful and failed login events?
They should be retrievable by searching something like:
index=<yourindex> (EventCode=4624 OR EventCode=4624 OR "Login")- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wouldn't recommend using ChatGPT to make Splunk searches. It usually generates nonsense and even if the SPL is valid, it tries to do bizarre stuff.
It would help if you would specify what kind of visualization of logins you would like. Do you want a total of successful and failed logins over a time period? Do you want to find the top 5 users with failed logins? Would you like to see a timeline of successful and failed logins over the past 7 days?
New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...
Alerting Best Practices: How to Create Good Detectors
Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...
