https://community.splunk.com/t5/Splunk-Search/Remote-desktop-user/m-p/668720#M229386 <P>Thanks</P> Wed, 15 Nov 2023 10:31:45 GMT gjhaaland 2023-11-15T10:31:45Z https://community.splunk.com/t5/Splunk-Search/Remote-desktop-user/m-p/668702#M229379 <P>Hi,</P><P>The code is like</P><P>index=main host=server10 (EventCode=4624 OR&nbsp;&nbsp;EventCode=4634) Logon_Type=3 NOT user="*$" NOT user "ANONYMOUS LOGON"</P><P>| dedup user | where NOT MsgID==AUT22673 | eval LoginTime=_time | table user LoginTime</P><P>&nbsp;</P><P>The output will list active RDP user.&nbsp; No idea how to fix the rest of it, either</P><P>1: If number of user == 0, then print "No Remote desktop user"</P><P>2: Or put number of user into a Single Value, Radial Gauge (not username)</P><P>Sounds so easy but I cannot figure out how to fix it.&nbsp; Too little Splunk experience.</P><P>Rgds</P><P>Geir</P> Wed, 15 Nov 2023 08:27:09 GMT https://community.splunk.com/t5/Splunk-Search/Remote-desktop-user/m-p/668702#M229379 gjhaaland 2023-11-15T08:27:09Z https://community.splunk.com/t5/Splunk-Search/Remote-desktop-user/m-p/668715#M229383 <P>Do you just need a count of (distinct) users?</P><LI-CODE lang="markup">| stats dc(user) as users</LI-CODE> Wed, 15 Nov 2023 09:41:30 GMT https://community.splunk.com/t5/Splunk-Search/Remote-desktop-user/m-p/668715#M229383 ITWhisperer 2023-11-15T09:41:30Z https://community.splunk.com/t5/Splunk-Search/Remote-desktop-user/m-p/668720#M229386 <P>Thanks</P> Wed, 15 Nov 2023 10:31:45 GMT https://community.splunk.com/t5/Splunk-Search/Remote-desktop-user/m-p/668720#M229386 gjhaaland 2023-11-15T10:31:45Z