Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Identifying Users that connect from different ip simultaneously on same device

cnoulin
Explorer
‎12-11-2019 01:30 AM

Hello, i want to make an alert that trigger when on a specific device, a user connect simultaneously from different IP.
My search is as follow :

source="My Source" | stats dc(src_ip) as count,values(src_ip) as src_ip by user | where count > 1

Thanks in advance

Tags (1)
0 Karma
Reply

cnoulin
Explorer
‎12-11-2019 05:08 AM

@gcusello , thanks for your answer.
Actually my source is my device.

when i add the device ip as device_id, there is no result.
Actually the request work but send me result when the same user as different ip in different moment of the day (that is "normal"), but i want only same user_id with different IP simultaneously.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-11-2019 04:36 AM

Hi @cnoulin,
in the BY cluase you have to add also the device identificator (name, id or IP).

source="My Source" 
| stats dc(src_ip) as count values(src_ip) as src_ip BY user device_id
| where count > 1

P.S.: use always the index clause in the main search, you'll have more performant searches.

Ciao.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-11-2019 05:53 AM

Device is mandatory because yu could have that a user accesses to different devices.
So check the exact field name and put it in BY clause.
Ciao.
Giuseppe

0 Karma
Reply

cnoulin
Explorer
‎12-11-2019 07:05 AM

@gcusello not really in my case, because the source is a firewall and i want to identify external users that use same login from different ip and access the site via the firewall

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-11-2019 07:40 AM

Ok easier the aspect of the device!
you could use something like this

 source="My Source" 
 | stats dc(src_ip) as count values(src_ip) as src_ip earliest(_time) AS earliest latest(_time) AS latest BY user device_id
 | where count > 1 AND latest-earliest<300

where you can configure the maximum accepted delay between events (in my example 300 seconds).

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...