Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

splunk query issues

anu1
New Member
‎01-08-2025 09:35 PM

Hey team,

I have one requirement i.e have to Create a splunk dashboard to report the # of Logins , # of Logouts

The input for the Splunk report should be as follows : 

Input dropdown - Time Picker, Customer, Host Name

Either identify using probe data or Splunk Command metrics

Output for the following metrics should be shown as a timegraph with # of logins, logouts ,

the graph should consists of time,which host and which customer we are using.and the query also should have the tokens when i ran the query can you give me the search query for this requirement.I used multiple queries but am not getting the exact data.

Can you help me with the query.Thanks.

Labels (4)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-08-2025 11:59 PM

Hi  @anu1

,the dashboard is very easy, but it requires a preparation that depends on the number of data sources that you want to display in this dashboard.

In few words, you should:

  • analyze your data sources and define the conditions for LOGIN, LOGOUT and LOGFAIL, eg, for Windows login is EventCode=4624, logout is EventCode=4634 and logfail is EventCode=4625,
  • then create av eventtype for each condition assigning a tag (LOGIN, LOGOUT or LOGFAIL) to each eventtype,
  • create some alias to have the same field names for the fields to display (e.g. UserName, IP_Source,  Hostname, etc...)
  • create a dashboard running a search like the following:
tag=$tag$ host=$host$ UserName=$user$
| table _time tag HostName UserName IP_Source

the three tags in the main search come from three inputs.

Let me know if you need help to create the dashboard that's very easy.

Ciao.

Giuseppe

 

0 Karma
Reply

anu1
New Member
‎01-09-2025 12:13 AM

Sure.Thank you.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-09-2025 03:33 AM

Hi @anu1 ,

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply

PaulPanther
Motivator
‎01-08-2025 10:53 PM

Please share the search so far and some sample data then we might be able to help you with the search query.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...