Best Way to Count Multiple Users logging into 1 Co...

All Apps and Add-ons

Trying to find the best way to log anytime a number logs into more than 1 computer. Not sure the best approach for this. My current query is:

index=cisco_ise sourcetype="cisco:ise:syslog" (Framed_IP_Address=* AND Framed_IP_Address!="\\") (UserName="*.*" AND UserName!="sim*" AND UserName!="host//*" AND UserName!="\\")
| bin _time span=24h
| stats values(UserName) as User_Name, dc(UserName) as User_Name_Count by Framed_IP_Address, _time
| eval "Time Range"= strftime(_time,"%Y-%m-%d %H:%M:%S")
| eval "Time Range"= 'Time Range'.strftime(_time+3600,"- %H:%M:%S")
| sort -Framed_IP_Address
| where User_Name_Count  > 1

And believe it or not, this actually gave me 1 result. I could see 2 users logged into the same machine. However, I don't believe it's the best way to write this/achieve this result. And was hoping to get some advice on how to tighten the query up.

Thank you in advanced.

Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Are you a member of the Splunk Community?