Creating Dashboards
Splunk dashboards are powerful tools for visualizing and analyzing data within the Splunk platform. They provide a graphical representation of data collected from various sources, allowing users to gain insights and make data-driven decisions.
My Goals
Using Splunk for Everything!
01
Active Directoy Overview & Historian
User and computer account information inputted into Splunk to not only review current setup but be able to review historical information as needed. For example, review past accounts, deleted objects, past object updated information.
03
Computer Details & Resources
Resource management and review of available hard drive space, memory and even CPU utilization over a historical time period. This can help plan for future needs or just be a tool for reviewing available resources.
02
Network Assets & Historian
A place to not only store switch, router, firewall information like IP Address, Service Tags, IOS Image & Version but also keep a history of this information of EOL system that have been upgraded or replaced..
04
System Health Reporting
This can include details like patch information, anti-virus status and version and more. Really there is no limit to what you can place in Splunk and turn it into useful information.
Account Lockout Count:
index="windows" sourcetype="WinEventLog:Security" EventCode=4740 | stats count
Account Lockout Table:
index="windows" sourcetype="WinEventLog:Security" EventCode=4740
| eval Account_Name=mvindex(Account_Name,1)
| eval Date=strftime(_time, "%m-%d-%Y")
| eval Time=strftime(_time, "%H:%M:%S")
| fields Account_Name, ComputerName, Workstation_Name, Keywords, Date, Time, EventCode
| table Account_Name, ComputerName, Keywords, Date, Time, EventCode
| rename Account_Name as "Account"
| rename ComputerName As "Source Server"
| rename Keywords As "Logon Result"
| rename EventCode As "Event ID"
Dashboard outline for Windows Security Event Logs.
​
Queries to the left are reused on the dashboard with simple edits to the EventCode value so no reason to post for reach row in the dashboard below.
​
Click to Enlrage:
SPL
Basis for most of the queries look like the above charts...
index="network_hardware" DeviceName=$mydevicename$ IPAddress=$myipaddress$ SerialNumber=$myserialnumber$
| where Model!=""
| dedup DeviceName
| table DeviceName, IPAddress, MachineType, Model, IOSImage, IOSVersion, LastBoot, SerialNumber, SNMPVersion
| stats count by Model
​
Computer Details Dashboard
Dahsboard is comprised of multiple indexes and multiple PowerShell script results. One PowerShell script queries Active Directory and gathers comptuer object details. The other PowerShell script executes a WinRM command to query information from remote servers and insert into an Index. This is all being executed by a Universal Forwarder.
Inputs.conf Addition
[powershell://ServerDetails-EX1]
index = details
script = . "$SplunkHome\etc\users\Details.ps1"
schedule = */5 * * * *
sourcetype = Windows:Details
[powershell://ServerADinfo-EX1]
index = computerobjects
script = . "$SplunkHome\etc\users\GetAdcomputer.ps1"
schedule = */5 * * * *
sourcetype = Windows:ComputerObjects
SPL Query Example:
index="computerobjects" CN=$text_cn$ DNSHostName=$text_dns$
| dedup CN
| eval CN = upper(CN)
| eval DNSHostName = upper(DNSHostName)
| fields CN, DNSHostName, Enabled, IPv4Address, LastLogonDate, badPwdCount, Created, DistinguishedName, PasswordLastSet
| table CN, DNSHostName, Enabled, IPv4Address
| sort CN
To the left is the setup used to place a text search on the dashboard. This then assigns a token to the text search data ofr "text_dns". This then is added to the SPL on all items in the Dashboard to reflect the changes to the textbox as shown above: DNSHostName=$text_dns$
This also defines the default search prarmeter as a * which is a wildcard for everything.
​​
Wanted a simple example on using Timechart with multiple resulting lines as well as rounded off numbers from using the avg function.
Timechart Command
