Some sample searches to start with as requested. You can adjust the time spans and thresholds as needed. These queries should provide a foundation for your AUTHZ usage dashboard, balancing detail wi...
See more...
Some sample searches to start with as requested. You can adjust the time spans and thresholds as needed. These queries should provide a foundation for your AUTHZ usage dashboard, balancing detail with performance. Total AUTHZ attempts: index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word") | stats count as Total Successful vs. failed authorizations: ``` index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word") | stats count(eval(INFO="success" OR match(ERROR,"user failure"))) as Success, count as Total | eval Failed = Total - Success | eval Success_Rate = round((Success/Total)*100,2) | table Success, Failed, Total, Success_Rate ``` Authorization attempts by host: ``` index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word") | stats count as Attempts by host | sort -Attempts | head 10 ``` Peak authorization times and average response time: ``` index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word") | timechart span=15min count as Attempts avg(duration) as avg_duration perc95(duration) as p95_duration | eval avg_duration=round(avg_duration/1000,2) | eval p95_duration=round(p95_duration/1000,2) ```