High Level Windows Dashboard

Part 1 – User Logon Activity

The following Splunk Dashboard provides a high level view of windows user logon activity. It should be emphasized that the focus of this dashboard is fairly high level, has a time picker (defaulting to 7 days) and shows both successful and failed user logons (table and timechart) as well as logon duration, general Windows Authentication Events, and some common eventcodes associated with each user. Depending on the number of users in your environment the last panel/query may need to be modified as it is using a “| stats values(user)” for the list of users per eventcode. Panels use color where it makes sense for me, such as in the case of user names, and host names. I’ll include another Windows Dashboard (Part 2) in the future.
Share This:

Comments

  1. Neil K

    How do you input all of this information? I am working in Splunk 7.2.3. when I input this XML in the Dashboard > Source, I get error(s): Error parsing XML on line 25: Premature end of data in tag form line 1.
    I would like to try this dashboard to see how it looks. Are some of the tags missing at the end?

    Thanks!

    1. SplunkNinja

      Neil,
      Please give this a shot again. I updated the xml escape tags to hopefully work this time. I’ve tested it on both Firefox and Chrome as of the time of this post.

      Thanks for the comment and letting me know!

Leave A Comment?