Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to format timechart or stats visualization of failed login account names by time?

soundchaos
Path Finder
‎07-22-2014 11:12 AM

Looking for the best way to format a timechart or stats visualization of failed login account names by time. Right now I have:

index="activedirectory" EventCode=4740 | eval Account_Name=mvfilter(Account_Name!="-") | timechart span=1d count by Account_Name

This helps a little, but due to how rare it is for a lockout to occur here, there are way too many empty blocks of time where nothing occurs. How can I get a useful chart that shows easy to read data over a long range of time while still showing the exact day that the lockout occurred?

I also don't need to know the count of "how many failed logins per individual accounts", but I don't know how else to get a visual representation.

Reply
1 Solution
Solved! Jump to solution
Solution

strive
Influencer
‎07-22-2014 11:45 AM

Since you do not want failed logins by individual accounts and also you need to skip empty blocks, try this

index="activedirectory" EventCode=4740 | eval Account_Name=mvfilter(Account_Name!="-") | timechart span=1d count as FailedLogins | where FailedLogins > 0

View solution in original post

Reply
Solved! Jump to solution
Solution

strive
Influencer
‎07-22-2014 11:45 AM

Since you do not want failed logins by individual accounts and also you need to skip empty blocks, try this

index="activedirectory" EventCode=4740 | eval Account_Name=mvfilter(Account_Name!="-") | timechart span=1d count as FailedLogins | where FailedLogins > 0
Reply
Solved! Jump to solution

soundchaos
Path Finder
‎07-23-2014 07:47 AM

Thanks, this shows exactly what I was looking for! seems I was making it much harder than it had to be.

0 Karma
Reply
Solved! Jump to solution

AlyssaR
Explorer
‎07-22-2014 11:40 AM

If you're trying to do a line chart, you can edit the graph so the days with no values will show as 0. [Click on the Paintbrush menu and then the middle option by Null Values on the General tab.]

This will keep the line for each Account Name from having breaks in it, so your graph will show as a bunch of flat lines with occasional spikes when you have failed logins.

Also, if you're not actually wanting the graph split by user, you can always do "timechart count by EventCode" (or any other field that will only have one value) to get the total lockouts by time.

Is that what you were asking? Let me know if I misunderstood.

Reply
Solved! Jump to solution

soundchaos
Path Finder
‎07-23-2014 07:46 AM

The null values made sense, but was not quite what I was looking for. The count by eventcode suggestion was good!

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...