Best Way to Count Multiple Users logging into 1 Co...

All Apps and Add-ons

Trying to find the best way to log anytime a number logs into more than 1 computer. Not sure the best approach for this. My current query is:

index=cisco_ise sourcetype="cisco:ise:syslog" (Framed_IP_Address=* AND Framed_IP_Address!="\\") (UserName="*.*" AND UserName!="sim*" AND UserName!="host//*" AND UserName!="\\")
| bin _time span=24h
| stats values(UserName) as User_Name, dc(UserName) as User_Name_Count by Framed_IP_Address, _time
| eval "Time Range"= strftime(_time,"%Y-%m-%d %H:%M:%S")
| eval "Time Range"= 'Time Range'.strftime(_time+3600,"- %H:%M:%S")
| sort -Framed_IP_Address
| where User_Name_Count  > 1

And believe it or not, this actually gave me 1 result. I could see 2 users logged into the same machine. However, I don't believe it's the best way to write this/achieve this result. And was hoping to get some advice on how to tighten the query up.

Thank you in advanced.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers, So you searched, “what is the name of the usb key inserted by bob smith?” Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register Is your ...