Getting Data In
Highlighted

How to search Windows security logs to find unique users (username) who have logged during a give time frame?

Engager

Hi All and thanks in advance,

I am currently using Splunk to grab a server's security logs. I would like to run a search to find out the unique users who log in a month or during a given time. Ideally I would be able to get the username of the user. Is this possible? All I can see from research is that I will need to use the distinct count function(DC).

If you have any questions please let me know. I am grateful for all advice given.

Thanks,

SG

Highlighted

Re: How to search Windows security logs to find unique users (username) who have logged during a give time frame?

Builder

You can do something like:

<search> | stats count by username

Or:

<search> | dedup username | table username
Highlighted

Re: How to search Windows security logs to find unique users (username) who have logged during a give time frame?

Engager

Neither commands seemed to show up anything. I have now got up to host="DC01-DEV" Account_Name="*" this seems to show up all the ones but you then have to expand each one to show account name. Also this is not unique account names. How would I make it so it purely lists the users and I do not have to expand this?

Thanks,

SG

0 Karma