Dashboard with 3 separate columns which allow you to drill into 3 separate assets to find out who was logged on, when they logged on, and how they logged on. Accounts for remote logins, local logins, and unlocks/reconnects accounted for but not Type 3 (network logons for shared file access etc).
Time picker set so you can alter the time frame on the fly.
No addons required, should work with standard Splunk with Windows event code 4624
<form theme="dark"> <label>Who Logged On?</label> <fieldset submitButton="false"> <input type="time" token="timeFrame"> <label>Time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="text" token="HostName"> <label>Hostname</label> </input> <input type="text" token="Hostname2" searchWhenChanged="true"> <label>Hostname #2</label> </input> <input type="text" token="Hostname3"> <label>Hostname #3</label> </input> </fieldset> <row> <panel> <table> <search> <query>source=wineventlog EventCode=4624 (Logon_Type=10 OR Logon_Type=7 OR Logon_Type=2) host=$HostName$ | rex "New Logon:\s+Security ID:\s+(?<account>.*)" | eval Type=case(Logon_Type=10,"Remote Logon", Logon_Type=2,"Local Logon", Logon_Type=7,"Screen Unlock") | table _time host Type account | sort _time desc</query> <earliest>$timeFrame.earliest$</earliest> <latest>$timeFrame.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel> <table> <search> <query>source=wineventlog EventCode=4624 (Logon_Type=10 OR Logon_Type=7 OR Logon_Type=2) host=$Hostname2$ | rex "New Logon:\s+Security ID:\s+(?<account>.*)" | eval Type=case(Logon_Type=10,"Remote Logon", Logon_Type=2,"Local Logon", Logon_Type=7,"Screen Unlock") | table _time host Type account | sort _time desc</query> <earliest>$timeFrame.earliest$</earliest> <latest>$timeFrame.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel> <table> <search> <query>source=wineventlog EventCode=4624 (Logon_Type=10 OR Logon_Type=7 OR Logon_Type=2) host=$Hostname3$ | rex "New Logon:\s+Security ID:\s+(?<account>.*)" | eval Type=case(Logon_Type=10,"Remote Logon", Logon_Type=2,"Local Logon", Logon_Type=7,"Screen Unlock") | table _time host Type account | sort _time desc</query> <earliest>$timeFrame.earliest$</earliest> <latest>$timeFrame.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>
Hi, I’m new to splunk… Doesn’t seem to work for me.. not sure what input values i need to place in it?
Armando,
You’ll need to have access to the correct indexes for this, you might need to manually enter the index name if your role doesn’t search all non-internal indexes by default.
Thanks I got it to work now. Cheers!
I tried it .. not working.. I just added index=main at the beginning
Giving the below error
.
Error in ‘search’ command: Unable to parse the search: Comparator ‘<' has an invalid term on the left hand side: index=main.
The search job has failed due to an error. You may be able view the job in the Job Inspector.
can someone help.
Where did you insert ‘index=main’? It should be at the beginning of each , not at the beginning of the code. If you could provide more context then someone may be able to help.
didnt work for me either, i used index IN (wineventlog, security) source=wineventlog* .
I know this part works, but the dashboard shows no data