HI ,
I have query for login failure followed with lockout i can search the data and run in the search and reporting app but i am unable to save it as a dashboard . The dashboard shows waiting for inputs . Below is the search string .
earliest=-1d@d latest=@d index=wineventlog sourcetype=WinEventLog:Security EventCode="4740"
| eval Account=mvindex(Account_Name, 1)
| stats count, latest(_time) AS lastBlock by Account
| eval modtime=lastBlock - 7200
| fields - count
| map maxsearches=1000 search="search index=wineventlog sourcetype=WinEventLog:Security (EventCode="4625" OR EventCode="4768" OR EventCode="4771" OR EventCode="4776") earliest=$modtime$ latest=$lastBlock$ Account_Name=$Account$"
| eval Account=case(EventCode="4740" OR EventCode="4625", mvindex(Account_Name, 1), EventCode="4768" OR EventCode="4771", Account_Name, EventCode="4776", Logon_Account, 1=1, "Click-on-me")
| regex Account!="\\$"
| eval errorMessages=case(EventCode="4768", (EventCode."; ".Result_Code), EventCode="4771", (EventCode."; ".Failure_Code), EventCode="4776", (EventCode."; ".Error_Code), 1=1, "Click-on-me")
| stats count, latest(_time) AS lastFailure, values(Failure_Reason) AS failureReason, values(errorMessages) AS otherFailures by Account src_ip
| convert ctime(lastFailure)
| rename Account AS "Blocked Account", count AS LoginFailures
The error is due to the token being passed which doest not work in dashboard can someone help.
... View more