Jonathan,
A little background on this correlation. The "Access - Completely Inactive Account - Rule" saved search is what generates "Completely Inactive Account" notable events. This can be modified to produce the results that you desire.
Currently (in ES 3.0), the ootb definition for this search is:
| `inactive_accounts(90)` | `settags("access")` | `ctime(lastTime)` | table user,dest,orig_tag,dayDiff,lastTime
As you can see this correlation search uses a macro `inactive_accounts` as the logic to determine what an inactive account is.
| inputlookup append=T access_tracker | stats min(firstTime) as firstTime,max(lastTime) as lastTime by user | `get_identity4events(user)` | eval _time=lastTime | `daysago($greaterThan$,">=")`
Since we do not split by host (only user) in our stats command, messages from a username logging into unique hosts will be consolidated (unless the usernames are unique).
Can you also elaborate on which dashboard and panel are giving you errors rendering. I have seen errors related to truncating results when too much data is passed to column/timecharts. Here are some options for charts experiencing truncation issues:
The limit is on the total number of
points that are drawn (the actual
limit is 1500 I believe), so you have
a few options:
1) choose a larger span
for timechart, or try letting it
auto-span
2) set a limit on the number
of series that are shown
3) use a line
or area chart (they have a higher
limit because they don't have the
overhead of drawing a shape for each
point)
4) In a dashboard, you can set the limit per panel like this:
<option name="charting.chart.resultTruncationLimit">15000</option>
Let me know if you have any more questions.
David
... View more