#SPLUNK UNIVERSAL FORWARDER WINDOWS EVENT LOGS KEYGEN#
Sort with the highest failed percentage and highest number of total attempts first, overriding the default limit indicated by the 0. Format the "out of" failed percent value with the percent sign and show the total failed count to the right in parentheses. Calculate the percent of failures and percent of successes of session count.
|eval First_Attempt=strftime(earliest, "%m/%d/%Y %H:%M:%S"), Last_Attempt=strftime(latest, "%m/%d/%Y %H:%M:%S"), Fail_Percent=round((fail_count/sesscount)*100,2), Total_Attempts=fail_count+success_count, Success_Percent=round((success_count/sesscount)*100,2), Fail_Percent=Fail_Percent."% (".tostring(fail_count,"commas").")"įormat latest and earliest time value from epoch to calendar format. Lastly, show the count of each logon type per user. Gather the corresponding logon type for each logon user. The count is surrounded by parenthesis.Īggregate time to latest and earliest using max and min functions. This sets up the running total for the eventstats command coming up next.Ĭalculate a running total of eventtype (success or failure) for the user by logon type.įormat the output that shows the logon type descriptor and the count of the type returned by the search. Normalize logon names to all lowercase to make comparisons easier.Ĭalculate an initial count to 1 for fields in the BY clause. Search only users with svc at the start of the user name.
These event types are defined in the Splunk Add-on for Microsoft Windows. |table Logon_User Total_Attempts Fail_Percent Success_Percent First_Attempt Last_Attempt,Session_Types |eval Success_Percent=Success_Percent."% (".tostring(success_count,"commas").")",Total_Attempts=tostring(Total_Attempts,"commas") |eval First_Attempt=strftime(earliest, "%m/%d/%Y %H:%M:%S"),Last_Attempt=strftime(latest, "%m/%d/%Y %H:%M:%S"),Fail_Percent=round((fail_count/sesscount)*100,2),Total_Attempts=fail_count+success_count,Success_Percent=round((success_count/sesscount)*100,2),Fail_Percent=Fail_Percent."% (".tostring(fail_count,"commas").")" |stats max(_time) AS latest, min(_time) AS earliest, count AS sesscount, values(Logon_Types) AS Session_Types, count(eval(status="success")) AS success_count, count(eval(status="failure")) AS fail_count BY Logon_User |eventstats sum(count) AS l_cnt BY Logon_User,Logon_Type |stats count BY _time,status,Logon_User,Logon_Type You can optimize it by specifying an index and adjusting the time range.Įventtype=windows_logon_failure OR eventtype=windows_logon_success user=svc*
Verify that you have enabled the WinEventLog://Security input on all Active Directory domain controllers.For more information, see About installing Splunk add-ons. Verify that you deployed the add-on to the search heads and Splunk Universal Forwarders on the monitored systems.
0 kommentar(er)
