Solved: How can I autorefresh a real time form and lookup ...

jd0323fhl · ‎09-27-2016

I have a dashboard that runs in a real time window of 7 days and shows locked user accounts for Active Directory, Changes to key Admin Groups, and Audit policy deleted by user. It is not updating and the unlock panel runs slowly.

What can I do to get the dashboard (or panels) to show when a real-time event comes in? I've tried adding a form refresh (see code below) and a dashboard interval, but no luck.
Is there a better way to look up the Display name using the Sam Account name than ldapfilter under the "Account has locked" panel?

Note: There is a opening form entry in my XML code on the question, but it is not missing on the Splunk dashboard.

    form refresh="30"
          <label>Active_Directory_Events</label>

          <row>
            <panel>
              <input type="time" token="time_tok2" searchWhenChanged="true">
                <label></label>
                <default>
                  <earliest>rt-7d</earliest>
                  <latest>rtnow</latest>
                </default>
              </input>
              <table>
                <title>An Account has been locked out</title>
                <search>
              <query>index=main sourcetype="*wineventlog:security"   EventCode=4740 |  eval Account=mvindex(Account_Name, 1) | ldapfilter domain="domainname.com" search="(sAMAccountNAme=$$Account$$)"
              attrs="displayName"| table _time  name Account displayName   | rename _time AS Time  name AS Status Account AS Target_Account displayName as Full_Name | convert timeformat="%m.%d.%Y %H:%M:%S" ctime(Time) | sort -_time</query>
                  <earliest>$time_tok2.earliest$</earliest>
                  <latest>$time_tok2.latest$</latest>
                </search>

                <option name="drilldown">cell</option>
                <option name="dataOverlayMode">none</option>
                <option name="count">10</option>

              </table>
            </panel>
            <panel>
              <input type="time" token="time_token1">
                <label></label>
                <default>
                  <earliest>rt-7d</earliest>
                  <latest>rtnow</latest>
                </default>
              </input>
              <table>
                <title>Privileged Groups Changes</title>
                <search>
                  <query>(Group_Name="Domain Admins" OR Group_Name="Enterprise Admins" OR Group_Name="Schema Admins" OR Group_Name="Delegated Setup"  OR Group_Name="Discovery Management"  OR Group_Name="Exchange All Hosted Organizations"  OR Group_Name="Exchange Organization Administrators"  OR Group_Name="Exchange Public Folder Administrators"  OR Group_Name="Exchange Recipient Administrators"  OR Group_Name="Exchange Servers"  OR Group_Name="Exchange Trusted Subsystem"  OR Group_Name="Exchange View-Only Administrators"  OR Group_Name="Exchange Windows Permissions"  OR Group_Name="ExchangeLegacyInterop"  OR Group_Name="Help Desk (Exchange)"  OR Group_Name="Hygiene Management"  OR Group_Name="Organization Management"  OR Group_Name="Public Folder Management"  OR Group_Name="Recipient Management"  OR Group_Name="Records Management"  OR Group_Name="Server Management"  OR Group_Name="UM Management"  OR Group_Name="View-Only Organization Management")  eventtype=msad-groupmembership-changes NOT src_user="*$$" AND NOT member_id="S-1*" | table _time src_user member_id user_group name | rename _time AS Time src_user as "Administrator" member_id as "Group_Member" user_group as Group name as Action | convert timeformat="%m.%d.%Y %H:%M:%S" ctime(Time) | sort -_time</query>
                  <earliest>$time_token1.earliest$</earliest>
                  <latest>$time_token1.latest$</latest>
                </search>

                <option name="drilldown">row</option>
                <option name="dataOverlayMode">none</option>
                <option name="count">10</option>

              </table>
            </panel>
          </row>
          <row>
            <panel>
              <input type="time" token="time_tok3">
                <label></label>
                <default>
                  <earliest>rt-7d</earliest>
                  <latest>rtnow</latest>
                </default>
              </input>
              <table>
                <title>Audit Log Deleted by User</title>
                <search>
                  <query>index=main sourcetype="*wineventlog:security" EventCode=1102 |table _time Account_Name | rename _time as Time Account_Name as User | convert timeformat="%H:%M:%S %d.%m.%Y." | sort -_time</query>
                  <earliest>$time_tok3.earliest$</earliest>
                  <latest>$time_tok3.latest$</latest>
                </search>

                <option name="drilldown">cell</option>
                <option name="dataOverlayMode">none</option>
                <option name="count">10</option>

              </table>
            </panel>
          </row>
        </form>

jd0323fhl · ‎10-11-2016

Was able to redo the dashboard. Did not need realtime on each panel. Set panel for 7 days and set each panel to auto-refresh every 20 seconds. For the Ldap filter, converted to a lookup table instead that does a scheduled lookup from Active Directory.

View solution in original post

jd0323fhl · ‎10-11-2016

Was able to redo the dashboard. Did not need realtime on each panel. Set panel for 7 days and set each panel to auto-refresh every 20 seconds. For the Ldap filter, converted to a lookup table instead that does a scheduled lookup from Active Directory.

aaraneta_splunk · ‎10-12-2016

Hi @jd0323fhl - If you were able to answer your own question, please don't forget to resolve this post by clicking on "Accept" below your answer. Thanks! 🙂

How can I autorefresh a real time form and lookup a display name from Active Directory?

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...