Solved: How to make a report with TOP and Table?

rafaelschwed · ‎01-19-2016

I would put in the same report the "TOP logon failures" and below the table with _time and all failures.

The TOP search:

action=failure eventtype="Logon Failure" NOT | top user Source_Network_Address Workstation_Name ComputerName | rename user as User, ComputerName as Destination | where count > 30

fdi01 · ‎01-19-2016

you can do it in an dashboard with two panels
first panel you put the "TOP logon failures"
and second panel you the table with _time and all failures.

View solution in original post

fdi01 · ‎01-19-2016

you can do it in an dashboard with two panels
first panel you put the "TOP logon failures"
and second panel you the table with _time and all failures.

rafaelschwed · ‎01-19-2016

Good idea. I will do this.
But there is some form of a query and bring TOP Table?

jplumsdaine22 · ‎01-19-2016

A simple way would be to use a subsearch

action=failure eventtype="Logon Failure" [action=failure eventtype="Logon Failure" | top user Source_Network_Address Workstation_Name ComputerName | search count > 30 | fields user]

Alternatively combine the two

action=failure eventtype="Logon Failure" | stats values(_time) count by  user,Source_Network_Address,Workstation_Name,ComputerName | search count > 30

jplumsdaine22 · ‎01-19-2016

Good idea. Be sure to have a look at the Splunk tutorial here: http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchTutorial/WelcometotheSearchTutorial

It has a section on how to make dashboards.

How to make a report with TOP and Table?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services