topic Re: How to Monitor 3 Users in Splunk Search

How to monitor three users?

woodlandrelic — Fri, 17 Feb 2023 15:38:19 GMT

My system is Linux. Am trying to monitor 3 users in an index. The last time they login, IP address etc. There are over 180+ user. How do I get the search to show just the three users I want e.g James Peter and John?

Thanks

Re: How to Monitor 3 Users

PaulPanther — Fri, 17 Feb 2023 10:05:10 GMT

Hi @woodlandrelic

if they fields for user, login time and IP address are already extracted you could set up a search like that

index=abc user IN (James,Peter,John) |stats latest(login_time) by ip_address, user

Re: How to Monitor 3 Users

woodlandrelic — Fri, 17 Feb 2023 12:12:01 GMT

@PaulPanther

Thanks. I have another user am monitoring in another index. Is there a way to combine both or will have to save them as a report individually?

Re: How to Monitor 3 Users

PaulPanther — Fri, 17 Feb 2023 12:21:27 GMT

You could combine both indexes like

(index=abc OR index=def) user IN (James,Peter,John) |stats latest(login_time) by ip_address, user

But that's a bit theoretical because I don't know if the data source or format that you wanna search through is the same. Feel free to provide some more information about the events.

Re: How to Monitor 3 Users

woodlandrelic — Fri, 17 Feb 2023 12:29:27 GMT

@PaulPanther

Fantastic! It worked. I will find my way from here. Appreciate the quick help. Thanks