Archive
Highlighted

How do I search for low counts of specific user logons per host?

Explorer

I'm trying to do some least common occurance hunting in our environment, and would like to see if I can make a search that will show me hosts with low counts of user logons (say, less than 5?).

So, if my machine had me log in 30 times, and a pc tech once, even though it's legit it would show the pc tech on my machine in the search.

0 Karma
Highlighted

Re: How do I search for low counts of specific user logons per host?

Path Finder

Assuming the user is xyz.

index=_internal file=login user!=- NOT streamedsearch user=xyz |stats count by host user | where count<5

0 Karma
Highlighted

Re: How do I search for low counts of specific user logons per host?

Explorer

Not by user... I would like it to show ANY user with low counts on any machine. I'll try the "rare user" command listed above, see how that works out for me.

0 Karma
Highlighted

Re: How do I search for low counts of specific user logons per host?

SplunkTrust
SplunkTrust

@rwmilligan,

what about rare user ?

0 Karma