Splunk Search

How can I autorefresh a real time form and lookup a display name from Active Directory?

jd0323fhl
Explorer

I have a dashboard that runs in a real time window of 7 days and shows locked user accounts for Active Directory, Changes to key Admin Groups, and Audit policy deleted by user. It is not updating and the unlock panel runs slowly.

  1. What can I do to get the dashboard (or panels) to show when a real-time event comes in? I've tried adding a form refresh (see code below) and a dashboard interval, but no luck.
  2. Is there a better way to look up the Display name using the Sam Account name than ldapfilter under the "Account has locked" panel?

Note: There is a opening form entry in my XML code on the question, but it is not missing on the Splunk dashboard.

    form refresh="30"
          <label>Active_Directory_Events</label>

          <row>
            <panel>
              <input type="time" token="time_tok2" searchWhenChanged="true">
                <label></label>
                <default>
                  <earliest>rt-7d</earliest>
                  <latest>rtnow</latest>
                </default>
              </input>
              <table>
                <title>An Account has been locked out</title>
                <search>
              <query>index=main sourcetype="*wineventlog:security"   EventCode=4740 |  eval Account=mvindex(Account_Name, 1) | ldapfilter domain="domainname.com" search="(sAMAccountNAme=$$Account$$)"
              attrs="displayName"| table _time  name Account displayName   | rename _time AS Time  name AS Status Account AS Target_Account displayName as Full_Name | convert timeformat="%m.%d.%Y %H:%M:%S" ctime(Time) | sort -_time</query>
                  <earliest>$time_tok2.earliest$</earliest>
                  <latest>$time_tok2.latest$</latest>
                </search>

                <option name="drilldown">cell</option>
                <option name="dataOverlayMode">none</option>
                <option name="count">10</option>

              </table>
            </panel>
            <panel>
              <input type="time" token="time_token1">
                <label></label>
                <default>
                  <earliest>rt-7d</earliest>
                  <latest>rtnow</latest>
                </default>
              </input>
              <table>
                <title>Privileged Groups Changes</title>
                <search>
                  <query>(Group_Name="Domain Admins" OR Group_Name="Enterprise Admins" OR Group_Name="Schema Admins" OR Group_Name="Delegated Setup"  OR Group_Name="Discovery Management"  OR Group_Name="Exchange All Hosted Organizations"  OR Group_Name="Exchange Organization Administrators"  OR Group_Name="Exchange Public Folder Administrators"  OR Group_Name="Exchange Recipient Administrators"  OR Group_Name="Exchange Servers"  OR Group_Name="Exchange Trusted Subsystem"  OR Group_Name="Exchange View-Only Administrators"  OR Group_Name="Exchange Windows Permissions"  OR Group_Name="ExchangeLegacyInterop"  OR Group_Name="Help Desk (Exchange)"  OR Group_Name="Hygiene Management"  OR Group_Name="Organization Management"  OR Group_Name="Public Folder Management"  OR Group_Name="Recipient Management"  OR Group_Name="Records Management"  OR Group_Name="Server Management"  OR Group_Name="UM Management"  OR Group_Name="View-Only Organization Management")  eventtype=msad-groupmembership-changes NOT src_user="*$$" AND NOT member_id="S-1*" | table _time src_user member_id user_group name | rename _time AS Time src_user as "Administrator" member_id as "Group_Member" user_group as Group name as Action | convert timeformat="%m.%d.%Y %H:%M:%S" ctime(Time) | sort -_time</query>
                  <earliest>$time_token1.earliest$</earliest>
                  <latest>$time_token1.latest$</latest>
                </search>

                <option name="drilldown">row</option>
                <option name="dataOverlayMode">none</option>
                <option name="count">10</option>

              </table>
            </panel>
          </row>
          <row>
            <panel>
              <input type="time" token="time_tok3">
                <label></label>
                <default>
                  <earliest>rt-7d</earliest>
                  <latest>rtnow</latest>
                </default>
              </input>
              <table>
                <title>Audit Log Deleted by User</title>
                <search>
                  <query>index=main sourcetype="*wineventlog:security" EventCode=1102 |table _time Account_Name | rename _time as Time Account_Name as User | convert timeformat="%H:%M:%S %d.%m.%Y." | sort -_time</query>
                  <earliest>$time_tok3.earliest$</earliest>
                  <latest>$time_tok3.latest$</latest>
                </search>

                <option name="drilldown">cell</option>
                <option name="dataOverlayMode">none</option>
                <option name="count">10</option>

              </table>
            </panel>
          </row>
        </form>
0 Karma
1 Solution

jd0323fhl
Explorer

Was able to redo the dashboard. Did not need realtime on each panel. Set panel for 7 days and set each panel to auto-refresh every 20 seconds. For the Ldap filter, converted to a lookup table instead that does a scheduled lookup from Active Directory.

View solution in original post

0 Karma

jd0323fhl
Explorer

Was able to redo the dashboard. Did not need realtime on each panel. Set panel for 7 days and set each panel to auto-refresh every 20 seconds. For the Ldap filter, converted to a lookup table instead that does a scheduled lookup from Active Directory.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @jd0323fhl - If you were able to answer your own question, please don't forget to resolve this post by clicking on "Accept" below your answer. Thanks! 🙂

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...