custom private saved splunk dashboard

custom private saved splunk dashboard - setup instructions step by step

STEP 1 : GET SEARCH CODE FROM KBASE (13785)

copy this code to notepad >>>

(host=dc*) source=WinEventLog:Security (EventCode=4740) (Target_Account_Name!=localadmin OR user!=localadmin) | eval Account=if(Target_Account_Name!=NULL, Target_Account_Name, user) | eval Machine=if(Caller_Machine_Name!=NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="Unknown" Machine | eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") | dedup Time, Account | dedup Account, Machine | table Time, Account, Machine

STEP 2 : LOG INTO SPLUNK - SELECT CORE SPLUNK VIEWS

STEP 3 : SELECT SEARCH

STEP 4 : PASTE SEARCH CODE FROM KBASE INTO SEARCH FIELD

STEP 5 : CLICK ON 30 MIN TO CHANGE TO 4 HOURS

STEP 6 : CHANGE FROM 30 TO 4 AND MINUTES TO HOURS

STEP 7 : CLICK APPLY TO SAVE

STEP 8 : CLICK ON GREEN SEARCH ICON TO GENERATE SEARCH WITH CUSTOM CODE

STEP 9 : CLICK ON SAVE AS

STEP 10 : SAVE AS NEW DASHBOARD

STEP 11 : NAME NEW DASHBOARD TITLE / PERMISSION = PRIVATE / SELECT CLASSIC DASHBOARDS / CLICK SAVE TO DASHBOARD BUTTON

STEP 12 : CLICK ON CORE SPLUNK VIEWS / DASHBOARDS / AND THEN TYPE THE NAME OF YOUR PRIVATE VIEW NAME YOU JUST CREATED FOR EXAMPLE KEITH VIEW 1

STEP 13 : SELECT THE VIEW YOU CREATED ONLY YOU CAN SEE YOUR OWN PRIVATE VIEWS

STEP 14 : CLICK ON THE VIEW YOU CREATED AND SORT BY ACCOUNT NAME (USER ID) - AND ENJOY THE FASTEST WAY TO GET NON-ISE LOCKOUT INFO