All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Users logging windows on two machines at the same time

sergeimartao
Explorer
‎03-16-2015 01:36 PM

I'm trying to find out which users are logging on two machines at the same time (sharing login)

I already know some log fields and started to make a sketch, but I think I'm on the wrong track ...

host=ADServer sourcetype="WinEventLog:Security" NOT User=*$ EventCode=540 OR EventCode=538 | transaction startswith=EventCode="540" endswith=EventCode="538" | eval duration=tostring(duration,"duration") | table _time user duration name EventCode ComputerName Source_Network_Address

What I would do was to show just who logged in more than two machines. Could someone help me

0 Karma
Reply

sergeimartao
Explorer
‎03-30-2015 10:39 AM

Hello, jcoates_splunk

I managed to create the report using this search

sourcetype="WinEventLog:Security" OR (EventCode=540 OR EventCode=4624) NOT (user=*$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown)
| stats dc(src_ip) as Number_logged_hosts, values(src_ip) as "Logins IPs, values(dvc) as "Domains Controller", count by user

| rename user as Users, count as Total_time_logged_in
| where Number_logged_hosts>1
| sort -Number_logged_hosts Users

Reply

renatobamorim
Explorer
‎10-17-2016 11:37 AM

If the user logged off from the host before login on the other? On this case you'll alert the both, or not?

0 Karma
Reply

psharkey
Explorer
‎03-30-2015 10:45 AM

Sergei - you are missing a close quote " after values(src_ip) as "Logins IPs.
It should read:
values(src_ip) as "Logins IPs", ...

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎03-21-2015 03:32 PM

hi, since the data is tagged for CIM, it should be easier to use tags and eventtypes:
tag=authentication eventtype="windows_logon*" | eventstats count(dest) as dest_count by user | timechart max(dest_count) by user

If you have the CIM installed I also got good results with Search->Pivot -> Authentication -> Successful Authentication. I added a filter for Sourcetype starts with win*, split the row by user, and the column by dest to get a table. Or use the scatter plot to map distinct counts of users and dests.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...