Hi all,
I am trying to visualize in some way the first initial logon time for a user each day over a month, is this possible ? everything just seems to be based on count and i cant figure out the best way to do it.
eg - graph with each date for the month and a time shown on the chart or something similar.
Thanks
Hi Gary,
hour_of_day with the following value:doc["@timestamp"].value.getMinuteOfDay()
Set the Type to Number, the format to Duration, Input format to Minutes, Output format to Hours. There is a small hitch here, as it will show the time with decimal points for Hours instead of minutes, I've added an issue to make this more useful. https://github.com/elastic/kibana/issues/26128
3. Create a visualization (i used a bar chart), with the following settings:
event_id:4624 in the search bar or as a filter: this is the event ID for all successful logons in Windows.Top hit aggregation, on the field hour_of_day, with Aggregate on set to Min, Size set to 1,Sort onset to @timestamp field,Order` as ascending.Optional, you can split the series with a Terms aggregation, on the user.name field to show the top X users (as many as you set in the Size field), or even better, do a Filter aggregation instead of terms and add a filter for each user that you're interested in, something like this:
You can see how this chart would look over here:
You can get ideas for more cool stuff to do with the Winlogbeat data from this blog post: https://www.elastic.co/blog/monitoring-windows-logons-with-winlogbeat
Thank you, I'm very new to Elastic Search so i had to work out how to add a scripted field but once done the chart has worked perfectly, thanks !
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
