You now have fields to help drive the visualizations in the failed login dashboard.
Start building the dashboard.
- Use searches to generate single value visualizations.
- Save a search as a report and add it to a dashboard.
Part 1: Search for authentication failures
The first dashboard panel to build shows login failure counts. This panel divides login failures into these two categories.
- Login failures on valid accounts.
- Failed attempts to harvest account data.
- From the Search and Reporting app, run this search for login failure events.
Part 2: Create a single value visualization
- The search results are not yet formatted to generate a visualization. Modify the search to aggregate the login failure events and generate a count.
sourcetype=secure failed | stats count
- Run the search, then select the Visualizations tab.
- Select Single Value Visualization from the Visualization Picker.
The single value visualization appears.
- Select Format to customize the visualization.
- In the General settings panel, add "Failed attempts" to the Caption field.
The visualization now looks like this.
The count value shown can vary.
Part 3: Save the visualization as a report
- Select Save As > Report.
- Configure the report. Use the following settings.
- Title: Choose a title.
- Time Range Picker: No.
- Click Save.
Part 4: Add the report to a dashboard
- On the next screen, select Add to Dashboard.
- Select New to create a new dashboard.
- Provide a dashboard title. For example, "Failed Logins".
- Select Panel Powered By Report.
- Click Save.
You now have a dashboard with one panel. This panel shows the total number of failed authentications. In addition to the total count, you can add panels that show counts for failures on valid and invalid accounts.
Part 5: Generate additional visualizations
Generate single value visualizations showing invalid and valid account login failures.
- Follow the preceding steps to run a search, create a single value visualization, and add captions. Use the following search strings and captions for the two new visualizations.
Visualization showing Search Caption Login failures on invalid accounts
sourcetype=secure failed "invalid user" | stats count
Invalid accounts Login failures on valid accounts
sourcetype=secure failed NOT "invalid user" | stats count
- Save each visualization as a report and add it to the dashboard. The dashboard panels now look like the following example. The counts displayed might vary.
Part 6: Start customizing dashboard layout
To save space, put all of the dashboard panels in one row.
The next part of the scenario shows you how to add more customizations.
Customize dashboard panels
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10