Splunk® Enterprise

Splunk Enterprise Scenarios

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Create visualizations

Scenario steps create viz.png

You now have fields to help drive the visualizations in the failed login dashboard.

Start building the dashboard.

  • Use searches to generate single value visualizations.
  • Save a search as a report and add it to a dashboard.

Part 1: Search for authentication failures

The first dashboard panel to build shows login failure counts. This panel divides login failures into these two categories.

  • Login failures on valid accounts.
  • Failed attempts to harvest account data.

Step

  1. From the Search and Reporting app, run this search for login failure events.
sourcetype=secure failed

Part 2: Create a single value visualization

  1. The search results are not yet formatted to generate a visualization. Modify the search to aggregate the login failure events and generate a count.
    sourcetype=secure failed | stats count
  2. Run the search, then select the Visualizations tab.
  3. Select Single Value Visualization from the Visualization Picker.
    Selecting single Val.png
    The single value visualization appears.
  4. Select Format to customize the visualization.
  5. In the General settings panel, add "Failed attempts" to the Caption field. The visualization now looks like this.
    Scenario single val 6.4.png
    The count value shown can vary.

Part 3: Save the visualization as a report

  1. Select Save As > Report.
  2. Configure the report. Use the following settings.
    Title: Choose a title.
    Time Range Picker: No.
  3. Click Save.

Part 4: Add the report to a dashboard

  1. On the next screen, select Add to Dashboard.
  2. Select New to create a new dashboard.
  3. Provide a dashboard title. For example, "Failed Logins".
  4. Select Panel Powered By Report.
  5. Click Save.

You now have a dashboard with one panel. This panel shows the total number of failed authentications. In addition to the total count, you can add panels that show counts for failures on valid and invalid accounts.


Part 5: Generate additional visualizations

Generate single value visualizations showing invalid and valid account login failures.

  1. Follow the preceding steps to run a search, create a single value visualization, and add captions. Use the following search strings and captions for the two new visualizations.
    Visualization showing Search Caption
    Login failures on invalid accounts
    sourcetype=secure failed "invalid user" 
    | stats count
    Invalid accounts
    Login failures on valid accounts
    sourcetype=secure failed 
    NOT "invalid user" | stats count
    Valid accounts
  2. Save each visualization as a report and add it to the dashboard. The dashboard panels now look like the following example. The counts displayed might vary.
    Scenario single val db 6.4.png

Part 6: Start customizing dashboard layout

To save space, put all of the dashboard panels in one row.

  1. Select Edit > Edit Panels.
  2. Click and drag the panels to place them in one row.
    Scenarios db 3 panels row 6.4.png
  3. Click Done.

The next part of the scenario shows you how to add more customizations.

PREVIOUS
Extract fields
  NEXT
Customize dashboard panels

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters