Class 7 Lab 2 ‐ Dashboards - Justin-Boyd/CIT-Class GitHub Wiki

Task 1: Create the 404 Dashboard

Step 1

  • Start your pfSense machine.

Step 2

  • Start your Ubuntu machine, click Activities, search for the terminal, and open it.

Step 3

  • Use the command sudo /opt/splunk/bin/splunk start to start the Splunk daemon.

Step 4

  • Use the command service apache2 start to start Apache2.

Step 5

  • Click the Firefox icon in the panel on the left and browse to 127.0.0.1:8000
  • Sign in with the username admin and password Aa123456

Step 6

  • Click Search & Reporting.

Step 7

  • Click Dashboards, and then click Create New Dashboard on the right.

Step 8

  • In the window that appears, for Title, enter Apache Access Dashboard. The ID will be completed automatically. Click Create Dashboard.

Step 9

  • Click Source and note the default content of the new dashboard.

Step 10

  • Drag the provided Dashboard.xml file to your Ubuntu machine, open it, and copy its contents.

Step 11

  • Paste the contents of the Dashboard.xml file to the window, overwriting the existing text. When done, click UI to navigate to the visual representation.

Step 12

  • In the Ubuntu machine, open a new browser tab, go to a random Apache page, and click the refresh icon five times to trigger the XML file condition.

Step 13

  • Back in the Splunk tab, in the UI window, note the changes on the newly displayed dashboard. Note that the times will be different.

Step 14

  • Click Source to edit the dashboard and create a new panel in the same row. Copy the contents from to .

Step 15

  • Paste the text after the line with .

Step 16

  • Perform the following changes to the recently copied text:
    • In line 18, change the text between <title> and </title> to 404 Status Code by Minute
    • In line 21, change the timechart span to 1minute
    • In line 22, change the text between and to 1h@h
  • When done, click Save in the top right corner.

Step 17

  • You should see two panels in the same row.

Task 2: Create the EventID Dashboard

Step 1

  • Go to the Search & Reporting in Splunk.

Step 2

  • In the top bar select Alerts.

Step 3

  • Then click Open in Search for the WIN – Login Fail.

Step 4

  • Change the Real-time to the Presets and choose 7 days. We are going to use the previous lab alert to collect data and make a dashboard.

Step 5

  • Click on Visualization to show a graph. Then go ahead and choose the line chart for a display.
  • Note: The graph isn’t really neat with the current parameters.

Step 6

  • Let’s change some of the parameters to make the display different. Similar to the 404 error, delete the where and stats from the search to add another search.

Step 7

  • Add at the top of the search: EventCode=4625 and earliest=-7d
  • Then add: | table _time, EventCode, Account_Name
  • And lastly: | timechart count by EventCode
  • This gives us results from the past 7 days activity on EventCode=4625.

Step 8

  • Then click on the Save As and select Dashboard Panel. Then fill out the information that is in the following screenshot.

Step 9

  • Once you save it, you will have the newly created dashboard.
⚠️ **GitHub.com Fallback** ⚠️