I'm looking at creating a dashboard where I can generate standardized reports based on behaviors. To get started, I just want to provide a list of login activity by server to administrators to validate lookup lists as valid.
What I'm trying to draw in a table is similar to this:
Account Name: | Event Codes | Logon Type | Sparklines | Peak Count | Peak Time
Joe Smith | 4624 | 3, 5, 6 | 4624 Spark | 4624 Peak | Time of 4624 peak
| 4625 | 0 | 4625 Spark | 4625 Peak | Time of 4625 peak
Right now I've got the base search figured out:
sourcetype=WinEventLog:Security host=HostNameHere |stats values(EventCode) values(Logon_Type) sparkline(count(Account_Name)) count(Account_Name) by Account_Name | sort Account_Name
1st problem:
what I can't get added correctly is peak measurements. I've tried some stats functions like max(count) or eval max=count but they end up null.
Question: How can I get this to correctly evaluate the peak count & time that is shown in the sparkline?
2nd problem:
I can get the eventCodes to all stay in a single cell related to the account name, but I can't get the rest to obey the same principle.
Question: Is it even possible to format the table as I'm attempting to do? I can't seem to find via Google anyone that has tried to get the values of fields to actually line up with eachother.
1st problem:What is this?
Sourcetype=WinEventLog:Security host=HostNameHere |stats values(EventCode) as Event_Codes values(Logon_Type) as Logon_Type sparkline by Account_Name | join Account_Name [search Sourcetype=WinEventLog:Security host=HostNameHere | bucket _time span=1m|stats count as peak_count by _time,Account_Name |dedup Account_Name sortby -peak_count |rename _time as peak_time]
Notes: peak will only display only items first.
2nd problem:I'm sorry. Problems I do not know well. Can you explain a little more detail?