Splunk Enterprise

SPL search string to visualize logon data

jguerttman
Explorer

Please forgive me, I am new to Splunk.

I'm trying to create a dashboard that visualizes successful/failures logins. I don't have anyone I work with that's a professional or even knowledgeable/experienced enough to help. So, I started to use ChatGPT to help develop these strings. After I got the base setup from ChatGPT, I tried to fill in the sourcetypes. But now I'm getting this error:

Error in 'EvalCommand': The expression is malformed. 

Please let me know what I need to do to fix this. Ask away please. It'll only help me get better.

 

index=ActiveDirectory OR index=WindowsLogs OR index=WinEventLog
(
(sourcetype=WinEventLog (EventCode=4624 OR EventCode=4625)) # Windows logon events
OR
(sourcetype=ActiveDirectory "Logon" OR "Failed logon") # Active Directory logon events (adjust keywords if needed)
)
| eval LogonType=case(
EventCode=4624, "Successful Windows Login",
EventCode=4625, "Failed Windows Login",
searchmatch("Logon"), "Successful AD Login",
searchmatch("Failed logon"), "Failed AD Login"
)
| eval user=coalesce(Account_Name, user) # Combine Account_Name and user fields
| eval src_ip=coalesce(src_ip, host) # Unify source IP or host
| stats count by LogonType, user, src_ip
| sort - count

Labels (3)
0 Karma

jguerttman
Explorer

YES! That's what I'm looking. I have both windows and RHEL machines. I'm using the Cisco network app to track logins to the network on there if that makes sense. I'd like to have it do logins over the course of 7 days with the top 5 users like you were saying. That just makes sense. I'm learning a bunch of stuff.

0 Karma

marnall
Motivator

The exact search to produce a visualization would depend on which fields are extracted for your logs. Assuming they are normalized such that e.g. the field "user" and the field "status" are the same between the Windows and RHEL logs, then you could find the 5 users with the most failed logins for the past week with:

index=<yourwindowslogindex> OR index=<yourlinuxlogindex> earliest=-7d status="failed"
| top limit=5 user


If the fields are not normalized, then you may need to extract them. In this case could you post some sanitized samples of the successful and failed login events?

They should be retrievable by searching something like:

index=<yourindex> (EventCode=4624 OR EventCode=4624 OR "Login")

marnall
Motivator

I wouldn't recommend using ChatGPT to make Splunk searches. It usually generates nonsense and even if the SPL is valid, it tries to do bizarre stuff.

It would help if you would specify what kind of visualization of logins you would like. Do you want a total of successful and failed logins over a time period? Do you want to find the top 5 users with failed logins? Would you like to see a timeline of successful and failed logins over the past 7 days?

Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...