Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use timechart to display failed user login info, sorted by time/date of each login attempt?

rkris
Explorer
‎07-20-2020 07:48 PM

I'm trying to display failed user login information by using a timechart but I'm not sure how to show the time and date of the logins for each of the user

This is my code :

source="General-linux-sql.log" AND sourcetype="Linux" AND "Failure Audit" AND "Logon "
| rex "User Name\: (?<User_Name>[^\s]+)"
| timechart count by User_Name

This is the output that I get. Also, how do I change it so that all the users are separated?

paste_qns.PNG

Labels (2)
Labels
0 Karma
Reply

rkris
Explorer
‎07-20-2020 08:54 PM

How do I display the time for each of the logins as well?

0 Karma
Reply

anilchaithu
Builder
‎07-20-2020 08:20 PM

@rkris 

you can do the following to see users

  • change area chart to line chart (OR) column chart
  • If you choose line chart, Format -> General -> Multi series mode -> yes

you can play with both chart type & format options to improve look and feel.

Hope this helps

Reply

rkris
Explorer
‎07-21-2020 02:24 AM

@anilchaithu 

Thanks for the solution! However, now I have another problem with the Y-axis title. The title is now unreadable even though I changed it. Do you have any fix for this?

paste_qns1.PNG

paste_qns2.PNG

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-24-2020 01:46 PM

Have you tried trellis as visualization? It should work if you have less than 20 user and if more then you must divide those to  group of 20.

r. Ismo

0 Karma
Reply

rkris
Explorer
‎07-20-2020 08:58 PM
 
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...