I'm trying to display failed user login information by using a timechart but I'm not sure how to show the time and date of the logins for each of the user
This is my code :
source="General-linux-sql.log" AND sourcetype="Linux" AND "Failure Audit" AND "Logon "
| rex "User Name\: (?<User_Name>[^\s]+)"
| timechart count by User_Name
This is the output that I get. Also, how do I change it so that all the users are separated?
How do I display the time for each of the logins as well?
you can do the following to see users
you can play with both chart type & format options to improve look and feel.
Hope this helps
Thanks for the solution! However, now I have another problem with the Y-axis title. The title is now unreadable even though I changed it. Do you have any fix for this?
Have you tried trellis as visualization? It should work if you have less than 20 user and if more then you must divide those to group of 20.
r. Ismo