Splunk Group Policy Dashboard
10-25-2020
Language or Platform: Markup
Code:
<form theme="light">
<label>Group Policy - Dashboard</label>
<search id="base_search">
<query>
index=main source=ActiveDirectory host=DCServerName admonEventType=Update OR admonEventType=Deleted instanceType=4 gPCFileSysPath=* OR gPLink=*
</query>
</search>
<description>Group Policy Objects that have been created or updated in the last 60 days.</description>
<fieldset submitButton="false">
<input type="dropdown" token="panel1" searchWhenChanged="true">
<label>Action Type</label>
<choice value="Update OR admonEventType=Deleted">All</choice>
<choice value="update">Updated</choice>
<choice value="deleted">Deleted</choice>
<initialValue>Update OR admonEventType=Deleted</initialValue>
<default>Update OR admonEventType=Deleted</default>
</input>
<input type="dropdown" token="panel2" searchWhenChanged="true">
<label>GPO Name</label>
<search>
<!-- For speed, I need to look into getting charts working properly with base_search -->
<!-- eval displayName="\"".displayName."\"" allows you to put quotes around the displayName so it can be passed to FieldForValue with quotes -->
<query>
index=main source=ActiveDirectory host=DCServerName admonEventType=Update OR admonEventType=Deleted instanceType=4 gPCFileSysPath=* OR gPLink=*
| stats count by displayName
| table displayName
| eval displayName="\"".displayName."\""
</query>
<earliest>-60d@d</earliest>
<latest>now</latest>
</search>
<fieldForLabel>displayName</fieldForLabel>
<fieldForValue>displayName</fieldForValue>
<choice value="* OR NOT displayName=*">All</choice>
<initialValue>* OR NOT displayName=*</initialValue>
<default>* OR NOT displayName=*</default>
</input>
</fieldset>
<row>
<panel>
<title>Group Policy Activity Over Time</title>
<chart>
<search>
<query>
index=main source=ActiveDirectory host=DCServerName admonEventType=* instanceType=4 gPCFileSysPath=*
| eval sortTime = strptime(whenCreated, "%H:%M.%S %p, %A %d/%m/%Y")
| sort - sortTime
| timechart count by displayName usenull=f useother=f
<!-- Remove Other or Null fields with usenull=f useother=f -->
</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<option name="charting.axisY.scale">log</option>
<!-- Add this option for more color depth -->
<option name="charting.chart">area</option>
<option name="charting.drilldown">all</option>
</chart>
</panel>
<panel>
<title>5 Newest Group Policy Events</title>
<table>
<search>
<query>
index=main source=ActiveDirectory host=DCServerName admonEventType=* instanceType=4 gPCFileSysPath=*
| where isnotnull(displayName)
| sort - _time
| dedup displayName
| table displayName whenCreated whenChanged name
| head 5
| chart values(*) by displayName
| RENAME displayName AS "GPO Name"
</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<option name="drilldown">cell</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Group Policy Log</title>
<table>
<title>Display by Type</title>
<search>
<query>index=main source=ActiveDirectory host=DCServerName admonEventType=$panel1$ instanceType=4 displayName=$panel2$ gPCFileSysPath=* OR gPLink=*
| table displayName admonEventType name whenCreated whenChanged objectGUID distinguishedName objectCategory gpLink
| RENAME displayName AS "GPO Name"
| RENAME admonEventType AS "Type"
</query>
</search>
</table>
</panel>
</row>
</form>