Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Total users logged in at any given time to a Windows machine

tkerr1357
Path Finder
‎01-08-2020 05:26 AM

Hello all,

I am fairly new to Splunk and am working on gathering data for our operations team. They are asking me to create a dashboard for them with relevant login/logoff security data. The part that has me stumped is getting the exact number of active users on a given machine at any time. This would normally be accomplished by launching the command line and just running query user. Any help on this one would be greatly appreciated.

Tags (2)
0 Karma
Reply

BainM
Communicator
‎01-08-2020 06:24 AM

HI tkerr1357-

You will want to use an add-on like the Splunk for Windows Add-On. This allows you to collect and index Windows events from the target server to search against. You would then search for the logon/off Window event.

App:
https://splunkbase.splunk.com/app/742/#/details
Docs:
https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/AbouttheSplunkAdd-onforWindows

And here's a nice front-end companion app to the backend app with dashboards and sample queries:
https://splunkbase.splunk.com/app/1680/

Hope this helps,
Mike

0 Karma
Reply

tkerr1357
Path Finder
‎01-08-2020 06:42 AM

Hi Mike, we do make use of that app however there are far more logon events then we have active users in our system at any given time. I was searching based on EventCode=4624 which is a successful logon event. Do I need to do some kind of search of successful login events and then exclude users that have logoff events within like 30 seconds or so to find total users that are logged in? if so not sure how to drill up a search like that so anything that could point in the right direction would be helpful. I will continue to review the doc's for now.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...