https://community.splunk.com/t5/Splunk-Search/How-to-search-user-concurrent-logins-on-unique-hosts/m-p/626992#M217904 <P>I'm hoping to get some help or direction. I have seen a few different forum posts where the search pulled how many concurrent sessions were happening at a time. (General count of sessions occurring at a given time) I somewhat get that done with this search:</P> <P>index=main EventCode=4624&nbsp;<BR />| eval Account=mvindex(Account_Name,1)<BR />| eventstats dc(host) AS Logins by Account<BR />| where Logins &gt; 1<BR />| timechart count(Logins) BY Account<BR /><BR />I am hoping to pivot into a search with more detail such as Account login session duration and any overlap in sessions from unique hosts. The goal is to pinpoint potentially shared credentials for further investigation. I have played with transaction a bit, but can't seem to get it to work the way I need and have read many posts advising against this command due to resource usage.&nbsp; Any tips for a Splunk Newb?</P> Fri, 13 Jan 2023 00:35:21 GMT jayygee3 2023-01-13T00:35:21Z https://community.splunk.com/t5/Splunk-Search/How-to-search-user-concurrent-logins-on-unique-hosts/m-p/626992#M217904 <P>I'm hoping to get some help or direction. I have seen a few different forum posts where the search pulled how many concurrent sessions were happening at a time. (General count of sessions occurring at a given time) I somewhat get that done with this search:</P> <P>index=main EventCode=4624&nbsp;<BR />| eval Account=mvindex(Account_Name,1)<BR />| eventstats dc(host) AS Logins by Account<BR />| where Logins &gt; 1<BR />| timechart count(Logins) BY Account<BR /><BR />I am hoping to pivot into a search with more detail such as Account login session duration and any overlap in sessions from unique hosts. The goal is to pinpoint potentially shared credentials for further investigation. I have played with transaction a bit, but can't seem to get it to work the way I need and have read many posts advising against this command due to resource usage.&nbsp; Any tips for a Splunk Newb?</P> Fri, 13 Jan 2023 00:35:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-user-concurrent-logins-on-unique-hosts/m-p/626992#M217904 jayygee3 2023-01-13T00:35:21Z https://community.splunk.com/t5/Splunk-Search/How-to-search-user-concurrent-logins-on-unique-hosts/m-p/626994#M217905 <P>Session 'duration' is a fun one, as you need to be able to determine what constitutes the 'end' of the session.</P><P>The advice round 'transaction' is good - avoid where possible, it's rarely necessary and almost never the solution for looking for long lived things.</P><P>streamstats and stats are generally what you can use.&nbsp;</P><P>Here's a recent post on doing something similar, which gives examples of how you can build things</P><P><A href="https://community.splunk.com/t5/Splunk-Search/How-to-calculate-session-times-from-large-data-set/m-p/621763#M216135" target="_blank">https://community.splunk.com/t5/Splunk-Search/How-to-calculate-session-times-from-large-data-set/m-p/621763#M216135</A></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 13 Jan 2023 00:15:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-user-concurrent-logins-on-unique-hosts/m-p/626994#M217905 bowesmana 2023-01-13T00:15:59Z https://community.splunk.com/t5/Splunk-Search/How-to-search-user-concurrent-logins-on-unique-hosts/m-p/626995#M217906 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;thanks! I read through the thread and I think I am starting to get a better idea of how to approach my situation. Appreciate the quick response!</P> Fri, 13 Jan 2023 00:29:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-user-concurrent-logins-on-unique-hosts/m-p/626995#M217906 jayygee3 2023-01-13T00:29:15Z