Splunk Search

splunk query issues

anu1
New Member

Hey team,

I have one requirement i.e have to Create a splunk dashboard to report the # of Logins , # of Logouts

The input for the Splunk report should be as follows : 

Input dropdown - Time Picker, Customer, Host Name

Either identify using probe data or Splunk Command metrics

Output for the following metrics should be shown as a timegraph with # of logins, logouts ,

the graph should consists of time,which host and which customer we are using.and the query also should have the tokens when i ran the query can you give me the search query for this requirement.I used multiple queries but am not getting the exact data.

Can you help me with the query.Thanks.

Labels (4)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi  @anu1

,the dashboard is very easy, but it requires a preparation that depends on the number of data sources that you want to display in this dashboard.

In few words, you should:

  • analyze your data sources and define the conditions for LOGIN, LOGOUT and LOGFAIL, eg, for Windows login is EventCode=4624, logout is EventCode=4634 and logfail is EventCode=4625,
  • then create av eventtype for each condition assigning a tag (LOGIN, LOGOUT or LOGFAIL) to each eventtype,
  • create some alias to have the same field names for the fields to display (e.g. UserName, IP_Source,  Hostname, etc...)
  • create a dashboard running a search like the following:
tag=$tag$ host=$host$ UserName=$user$
| table _time tag HostName UserName IP_Source

the three tags in the main search come from three inputs.

Let me know if you need help to create the dashboard that's very easy.

Ciao.

Giuseppe

 

0 Karma

anu1
New Member

Sure.Thank you.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @anu1 ,

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

PaulPanther
Motivator

Please share the search so far and some sample data then we might be able to help you with the search query.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...