Splunk Search

How to format timechart or stats visualization of failed login account names by time?

soundchaos
Path Finder

Looking for the best way to format a timechart or stats visualization of failed login account names by time. Right now I have:

index="activedirectory" EventCode=4740 | eval Account_Name=mvfilter(Account_Name!="-") | timechart span=1d count by Account_Name

This helps a little, but due to how rare it is for a lockout to occur here, there are way too many empty blocks of time where nothing occurs. How can I get a useful chart that shows easy to read data over a long range of time while still showing the exact day that the lockout occurred?

I also don't need to know the count of "how many failed logins per individual accounts", but I don't know how else to get a visual representation.

1 Solution

strive
Influencer

Since you do not want failed logins by individual accounts and also you need to skip empty blocks, try this

index="activedirectory" EventCode=4740 | eval Account_Name=mvfilter(Account_Name!="-") | timechart span=1d count as FailedLogins | where FailedLogins > 0

View solution in original post

strive
Influencer

Since you do not want failed logins by individual accounts and also you need to skip empty blocks, try this

index="activedirectory" EventCode=4740 | eval Account_Name=mvfilter(Account_Name!="-") | timechart span=1d count as FailedLogins | where FailedLogins > 0

soundchaos
Path Finder

Thanks, this shows exactly what I was looking for! seems I was making it much harder than it had to be.

0 Karma

AlyssaR
Explorer

If you're trying to do a line chart, you can edit the graph so the days with no values will show as 0. [Click on the Paintbrush menu and then the middle option by Null Values on the General tab.]

This will keep the line for each Account Name from having breaks in it, so your graph will show as a bunch of flat lines with occasional spikes when you have failed logins.

Also, if you're not actually wanting the graph split by user, you can always do "timechart count by EventCode" (or any other field that will only have one value) to get the total lockouts by time.

Is that what you were asking? Let me know if I misunderstood.

soundchaos
Path Finder

The null values made sense, but was not quite what I was looking for. The count by eventcode suggestion was good!

Get Updates on the Splunk Community!

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...

Thank You for Celebrating CX Day with Splunk!

Yesterday the entire team at Splunk + Cisco joined the global celebration of CX Day - celebrating our ...