Let’s say I’d like to generate a report of Failed Logons over the past 24 hours, broken out by Users and the number of times they screwed up their logon, and what machines they failed to log into correctly
I already have the stream setup that pulls this info in the GL dashboards and Console.
Would this be easiest with a local script on the GL box, or an outside Powwrshell type script calling against the REST API?
You could achieve everything except the “and what machines they failed to log into correctly” with a quick values widget on the user name field.
If you want the full reporting as described, you should indeed use the REST API. I recommend opening the REST API Browser (from System → Nodes) and taking a look at the search and analysis APIs. You should be able to accomplish this by running sequential quick values (called terms in the API) calls.
Yup…I see those. What I was hoping is to see a simple working model that I could get a grasp about how it works and the syntax and such. Seeing a working model makes all the lights go on over here.
GROK extractors are the same way. Once you see one work, it all clicks.