This query will show a timechart of the status of an Locked Out Account sourcetype=”WinEventLog:Security” EventCode=4625 AND Status=0xC0000234 | timechart count by user | sort -count
Nr. of unique visitors per hour timechart
host=insertHostnameHere sourcetype=access_combined | timechart span=1h dc(sourceIP) If you have Fieldextraction for the visitor IP’s, in this example named ‘sourceIP’, this simple query will list the number of unique visitors per hour
Timechart of Linux Logons
The following splunk search will return a timechart of all successful logons for a given linux environment (regex provided): sourcetype=linux_secure |rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s”| search session=gdm-password | rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)” | search authstatus=”authentication success” | timechart count(username) The following splunk search will return a timechart of all failed logons for a given linux environment(regex provided): sourcetype=linux_secure |rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s”| […]
