I am trying to find the number of successful/failed logins to my machine over time with a distinct count by user. This is the current search so far but I am unable to display a visualization for the below search:
source="/var/log/auth.log" | search "Failed Password" OR "Accepted Password" | table time srcHost dstHost user cmd process | timechart span=1h dc(user) by srcHost
I am currently returning four events but nothing is being displayed under the visualization tab. Any help would be appreciated.
I did not realize you needed to use the builtin _time field rather than one that I had parsed out of the log and named time. I have updated the query to represent as much:
source="/var/log/auth.log" | search "Failed Password" OR "Accepted Password" | eval type=if(searchmatch("Failed password"),"Fail","Success") | table _time srcHost dstHost user cmd process type | timechart span=1h count(type) by srcHost
Additionally, I added the new field type to highlight whether or not the entry is a failed login or a success. The visualization appears however the count(type) does not separate b/w the different values in type by srcHost. In other words within an hour span I want a column for each host with different colors representing success or failure rather than representing them all as one color.