Splunk Search

How to format timechart or stats visualization of failed login account names by time?

Path Finder

Looking for the best way to format a timechart or stats visualization of failed login account names by time. Right now I have:

index="activedirectory" EventCode=4740 | eval Account_Name=mvfilter(Account_Name!="-") | timechart span=1d count by Account_Name

This helps a little, but due to how rare it is for a lockout to occur here, there are way too many empty blocks of time where nothing occurs. How can I get a useful chart that shows easy to read data over a long range of time while still showing the exact day that the lockout occurred?

I also don't need to know the count of "how many failed logins per individual accounts", but I don't know how else to get a visual representation.

1 Solution

Influencer

Since you do not want failed logins by individual accounts and also you need to skip empty blocks, try this

index="activedirectory" EventCode=4740 | eval Account_Name=mvfilter(Account_Name!="-") | timechart span=1d count as FailedLogins | where FailedLogins > 0

View solution in original post

Influencer

Since you do not want failed logins by individual accounts and also you need to skip empty blocks, try this

index="activedirectory" EventCode=4740 | eval Account_Name=mvfilter(Account_Name!="-") | timechart span=1d count as FailedLogins | where FailedLogins > 0

View solution in original post

Path Finder

Thanks, this shows exactly what I was looking for! seems I was making it much harder than it had to be.

0 Karma

Explorer

If you're trying to do a line chart, you can edit the graph so the days with no values will show as 0. [Click on the Paintbrush menu and then the middle option by Null Values on the General tab.]

This will keep the line for each Account Name from having breaks in it, so your graph will show as a bunch of flat lines with occasional spikes when you have failed logins.

Also, if you're not actually wanting the graph split by user, you can always do "timechart count by EventCode" (or any other field that will only have one value) to get the total lockouts by time.

Is that what you were asking? Let me know if I misunderstood.

Path Finder

The null values made sense, but was not quite what I was looking for. The count by eventcode suggestion was good!