topic Re: How do I search for low counts of specific user logons per host? in Splunk Search

How do I search for low counts of specific user logons per host?

rwmilligan — Fri, 24 Aug 2018 14:49:27 GMT

I'm trying to do some least common occurance hunting in our environment, and would like to see if I can make a search that will show me hosts with low counts of user logons (say, less than 5?).

So, if my machine had me log in 30 times, and a pc tech once, even though it's legit it would show the pc tech on my machine in the search.

Re: How do I search for low counts of specific user logons per host?

imthesplunker — Fri, 24 Aug 2018 15:17:21 GMT

Assuming the user is xyz.

index=_internal file=login user!=- NOT streamedsearch user=xyz |stats count by host user | where count<5

Re: How do I search for low counts of specific user logons per host?

renjith_nair — Fri, 24 Aug 2018 16:10:12 GMT

@rwmilligan,

what about rare user ?

Re: How do I search for low counts of specific user logons per host?

rwmilligan — Mon, 27 Aug 2018 13:43:10 GMT

Not by user... I would like it to show ANY user with low counts on any machine. I'll try the "rare user" command listed above, see how that works out for me.