Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Error parsing dashboard XML: The URI to be decoded...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Error parsing dashboard XML: The URI to be decoded is not a valid encoding. Go to "Edit Source" to fix
connorgoldenNav
New Member
07-31-2019
10:05 AM
Windows Overview Dashboard error.
Error parsing dashboard XML: The URI to be decoded is not a valid encoding. Go to "Edit Source" to fix
Source:
Windows Overview - v2.4
<panel>
<html>
<h1>
<center>General Information System Statistics Panel</center>
</h1>
</html>
<single>
<title>Active Users</title>
<search>
<query>index=winevents EventCode=4624 OR EventCode=528 |dedup user |stats count(user)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="numberPrecision">0</option>
<option name="trendColorInterpretation">standard</option>
<option name="underLabel">Number of Active Users</option>
<option name="useColors">0</option>
<option name="drilldown">none</option>
</single>
<single>
<title>Total AD Users</title>
<search>
<query>|inputlookup AD_Users.csv |stats count(DisplayName)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="trendColorInterpretation">standard</option>
<option name="useColors">1</option>
<option name="underLabel">Total Users</option>
<option name="drilldown">none</option>
<option name="rangeColors">["0xd93f3c","0x555"]</option>
<option name="rangeValues">[0]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">auto</option>
<option name="useThousandSeparators">1</option>
<option name="linkView">search</option>
</single>
<single>
<title>Active Hosts</title>
<search>
<query>index=winevents |dedup host |stats count(host)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="numberPrecision">0</option>
<option name="trendColorInterpretation">standard</option>
<option name="useColors">0</option>
<option name="underLabel">Number of Active Hosts</option>
<option name="drilldown">none</option>
</single>
<single>
<title>Total AD Hosts</title>
<search>
<query>|inputlookup AD_Hosts.csv |stats count(DisplayName)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="trendColorInterpretation">standard</option>
<option name="useColors">1</option>
<option name="underLabel">Total Hosts</option>
<option name="drilldown">none</option>
<option name="rangeColors">["0xd93f3c","0x555"]</option>
<option name="rangeValues">[0]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">auto</option>
<option name="useThousandSeparators">1</option>
<option name="linkView">search</option>
</single>
</panel>
<panel>
<html>
<h1>
<center>User Account Action Panel</center>
</h1>
</html>
<single>
<title>Newly Created Accounts</title>
<search>
<query>index=winevents EventCode=4720 OR EventCode=624 | chart dc(user)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">New Accounts</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=4720 OR EventCode=624 | eval PerByAcct_7=mvindex(Account_Name,0) | eval PerByAcct_XP=Caller_User_Name| eval PerByAcct=coalesce(PerByAcct_7,PerByAcct_XP)| table EventCode, signature, PerByAcct, user, host, _time | rename PerByAcct AS "Preformed By", user AS "Preformed To"</link>
</drilldown>
<option name="linkView">search</option>
<option name="drilldown">all</option>
</single>
<single>
<title>Account Modifications</title>
<search>
<query>index=winevents EventCode=625 OR EventCode=626 OR EventCode=629 OR EventCode=4722 OR EventCode=4725 | chart count</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">Account Modifications</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=625 OR EventCode=626 OR EventCode=629 OR EventCode=4722 OR EventCode=4725| eval PerByAcct_7=mvindex(Account_Name,0) | eval PerByAcct_XP=Caller_User_Name| eval PerByAcct=coalesce(PerByAcct_7,PerByAcct_XP)| table EventCode, signature, PerByAcct, user, host, _time | rename PerByAcct AS "Preformed By", user AS "Preformed To"</link>
</drilldown>
</single>
<single>
<title>Accounts Deleted</title>
<search>
<query>index=winevents EventCode=630 OR EventCode=4726 |chart count</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">auto</option>
<option name="underLabel">Accounts Deleted</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=630 OR EventCode=4726 | eval PerByAcct_7=mvindex(Account_Name,0) | eval PerByAcct_XP=Caller_User_Name| eval PerByAcct=coalesce(PerByAcct_7,PerByAcct_XP)| table EventCode, signature, PerByAcct, user, host, _time | rename PerByAcct AS "Preformed By", user AS "Preformed To"</link>
</drilldown>
</single>
<single>
<title>Password Changes</title>
<search>
<query>index=winevents EventCode=627 OR EventCode=4723 OR EventCode=628 OR EventCode=4724 Account_Name!=*$ |chart count</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">auto</option>
<option name="underLabel">Password Changes</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=627 OR EventCode=4723 OR EventCode=628 OR EventCode=4724 Account_Name!=*$ | eval PerByAcct_7=mvindex(Account_Name,0) | eval PerByAcct_XP=Caller_User_Name| eval PerByAcct=coalesce(PerByAcct_7,PerByAcct_XP)| table EventCode, signature, PerByAcct, user, host, _time | rename PerByAcct AS "Preformed By", user AS "Preformed To"</link>
</drilldown>
</single>
<single>
<title>Account Lockouts</title>
<search>
<query>index=winevents EventCode=644 OR EventCode=4740|chart count</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">auto</option>
<option name="underLabel">Account Lockouts</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=644 OR EventCode=4740 | table EventCode, signature, user, host, _time</link>
</drilldown>
</single>
</panel>
<panel>
<html>
<h1>
<center>Computer Account Actions Panel</center>
</h1>
<h3>
<center>(Investigate any actions that appear here)</center>
</h3>
</html>
<single>
<title>Newly Created Computers</title>
<search>
<query>index=winevents EventCode=4741 OR EventCode=645 | stats count(host)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">New Computers</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=4741 OR EventCode=645 | table EventCode, signature, host, user, _time</link>
</drilldown>
</single>
<single>
<title>Recently Deleted Computers</title>
<search>
<query>index=winevents EventCode=4743 OR EventCode=647 | stats count(host)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">Deleted Computers</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=4743 OR EventCode=647 | table EventCode, signature, host, user, _time</link>
</drilldown>
</single>
<single>
<title>Group Policy Errors</title>
<search>
<query>index=winevents EventCode=1202 | stats count(host)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">Group Policy Errors</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=1202 | stats count sparkline AS Trend by host | sort - count</link>
</drilldown>
</single>
<single>
<title>Shutdowns Computer</title>
<search>
<query>index=winevents EventCode=4609 OR EventCode=513 | stats count(host)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,3,5]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-24h</option>
<option name="underLabel">Shutdowns</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=4609 OR EventCode=513 | table EventCode, signature, host, user, _time</link>
</drilldown>
</single>
</panel>
<panel>
<single>
<title>Missing Forwaders</title>
<search>
<query>| metadata type=hosts index=winevents | table host, lastTime | eval Checkin = relative_time(now(),"-2h") | where lastTime < Checkin | convert ctime(lastTime) as lastTime | stats count(host)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">Missing Forwaders</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=| metadata type=hosts index=winevents | table host, lastTime | eval Checkin = relative_time(now(),"-2h") | where lastTime < Checkin | convert ctime(lastTime) as lastTime| table host, lastTime | sort - lastTime</link>
</drilldown>
<option name="linkView">search</option>
<option name="drilldown">all</option>
</single>
<single>
<title>Software Installs</title>
<search>
<query>index=winevents SourceName=MsiInstaller EventCode=11707 host="*" | stats count(host)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">Software Installs</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<drilldown target="new">
<link>/app/IA_Overview/SW_Detailed</link>
</drilldown>
</single>
<single>
<title>Software Uninstalls</title>
<search>
<query>index=winevents SourceName=MsiInstaller EventCode=11724 host="*" | stats count(host)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">Software Uninstalls</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<option name="linkView">search</option>
<option name="linkView">search</option>
<option name="linkFields">result</option>
<drilldown target="new">
<link>/app/IA_Overview/SW_Detailed</link>
</drilldown>
</single>
<single>
<title>AV Updates</title>
<search>
<query>index=winevents EventCode=7 EventType=4 latest=now earliest=-30d@d| stats first(1) by host| stats count(host)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0xd93f3c","0x65a637"]</option>
<option name="rangeValues">[0]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">AV Updates</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<option name="linkView">search</option>
<option name="linkView">search</option>
<option name="linkFields">result</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=7 EventType=4 | stats count sparkline AS Trend by host| sort + Date</link>
</drilldown>
</single>
</panel>
<panel>
<html>
<h1>
<center>Data Loss Protection Action Panel</center>
</h1>
<h3>
<center>(Investigate any actions that appear here)</center>
</h3>
</html>
<single>
<title>File Shadow Reads</title>
<search>
<query>index=winevents sourcetype="WinEventLog:System" SourceName=scomc EventCode=26 | transaction _time, host, user | stats count</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">Shadow Reads</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<option name="linkView">search</option>
<option name="linkView">search</option>
<option name="linkFields">result</option>
<drilldown target="new">
<link>/app/IA_Overview/DLP_Detailed</link>
</drilldown>
</single>
<single>
<title>File Shadow Writes</title>
<search>
<query>index=winevents sourcetype="WinEventLog:System" SourceName=scomc EventCode=25 | transaction _time, host, user | stats count</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-24h</option>
<option name="underLabel">Shadow Writes</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<option name="linkView">search</option>
<option name="linkView">search</option>
<option name="linkFields">result</option>
<drilldown target="new">
<link>/app/IA_Overview/DLP_Detailed</link>
</drilldown>
</single>
<single>
<title>File Failed Reads</title>
<search>
<query>index=winevents sourcetype="WinEventLog:System" SourceName=scomc EventCode=18 | transaction _time, host, user | stats count</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-24h</option>
<option name="underLabel">Failed Reads</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<option name="linkView">search</option>
<option name="linkView">search</option>
<option name="linkFields">result</option>
<drilldown target="new">
<link>/app/IA_Overview/DLP_Detailed</link>
</drilldown>
</single>
<single>
<title>File Failed Writes</title>
<search>
<query>index=winevents sourcetype="WinEventLog:System" SourceName=scomc EventCode=19 | transaction _time, host, user| stats count</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-24h</option>
<option name="underLabel">Failed Writes</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<option name="linkView">search</option>
<option name="linkView">search</option>
<option name="linkFields">result</option>
<drilldown target="new">
<link>/app/IA_Overview/DLP_Detailed</link>
</drilldown>
</single>
<single>
<title>Media/Device Actions</title>
<search>
<query>index=winevents sourcetype="WinEventLog:System" SourceName=scomc (EventCode=14 OR EventCode=16) | transaction _time, host, user| stats count</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">true</option>
<option name="showTrendIndicator">true</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-24h</option>
<option name="underLabel">Media/Device Actions</option>
<option name="useColors">true</option>
<option name="useThousandSeparators">true</option>
<option name="linkView">search</option>
<option name="linkView">search</option>
<option name="linkFields">result</option>
<drilldown target="new">
<link>/app/IA_Overview/DLP_Detailed</link>
</drilldown>
</single>
</panel>
<panel>
<title>Failed Logon Panel</title>
<single>
<title>Failed Logons</title>
<search>
<query>index=winevents EventCode=4625 OR EventCode=529 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=535 OR EventCode=537 | stats count</query>
</search>
<option name="colorBy">trend</option>
<option name="colorMode">none</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-24h</option>
<option name="underLabel">Failed Logins</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<option name="linkView">search</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents EventCode=4625 OR EventCode=529 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=535 OR EventCode=537 | stats count sparkline AS Trend by user, signature | sort - count</link>
</drilldown>
</single>
<table>
<title>Failed Logons for Unknown Accounts</title>
<search>
<query>index=winevents sourcetype="WinEventLog:Security" (EventCode=4625 Sub_Status=0xC0000064) OR (EventCode=529) |eval Date=strftime(_time, "%Y/%m/%d") |rex "Which\sLogon\sFailed:\s+Security\sID:\s+\S.*\s+\w+\s\w+\S\s.(?<facct>\S.*)" | eval uacct=coalesce(facct,User_Name)| stats count sparkline AS Trend by uacct, host | rename count as "Attempts", uacct as "Account" | sort - Attempts</query>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
<format type="sparkline"
field="Trend">
<option name="lineColor">#5379af</option>
<option name="fillColor">#CCDDFF</option>
<option name="lineWidth">1</option>
<option name="height">25px</option>
</format>
</table>
</panel>
<panel>
<title>After Hours Panel</title>
<single>
<title>After Hours Logins (Before 6 AM or After 6 PM)</title>
<search>
<query>index=winevents EventCode=4624 OR EventCode=528 Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11 | eval logon_hour=strftime(_time, "%H") | where (logon_hour > 18 OR logon_hour < 6) | stats count</query>
</search>
<option name="colorBy">trend</option>
<option name="colorMode">none</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,10,100]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-24h</option>
<option name="underLabel">After Hours Logins</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<option name="linkView">search</option>
<drilldown target="new">
<link>/app/IA_Overview/search?q=index=winevents sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=528 Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11 | eval logon_hour=strftime(_time, "%H") | where (logon_hour > 18 OR logon_hour < 6) | stats count sparkline AS Trend by user, host | rename count as "Attempts", user as "Account" | sort - Attempts</link>
</drilldown>
</single>
<table>
<title>After Hours Logins</title>
<search>
<query>index=winevents sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=528 Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11 | eval logon_hour=strftime(_time, "%H") | where (logon_hour > 18 OR logon_hour < 6) | stats count sparkline AS Trend by user, host | rename count as "Attempts", user as "Account" | sort - Attempts</query>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
<format field="Trend"
type="sparkline">
<option name="lineWidth">1</option>
<option name="lineColor">#5379af</option>
<option name="fillColor">#CCDDFF</option>
<option name="height">25px</option>
</format>
</table>
</panel>
<panel>
<table>
<title>Domain Admin Activity</title>
<search>
<query>index=winevents EventCode=4624 [|inputlookup AD_Groups.csv| search group_name="Domain Admins" |table member_name| rename member_name AS user]|stats count sparkline AS Trend by user | sort - count</query>
<earliest>-90d@d</earliest>
<latest>now</latest>
</search>
<format field="Trend"
type="sparkline">
<option name="lineWidth">1</option>
<option name="lineColor">#5379af</option>
<option name="fillColor">#CCDDFF</option>
<option name="height">25px</option>
</format>
<drilldown target="new">
<link>/app/IA_Overview/Win_Priv_Detail?form.usertok=$click.value2$</link>
</drilldown>
</table>
</panel>
Get Updates on the Splunk Community!
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
