Hello. Lately, we have started monitoring Windows server in Splunk. I have created a few dashboards with basins windows performance checkers. I want also to create a dashboard/report to see how many users are currently logged on to the server, which is monitored in Splunk? What type of search do I need to undertake? Is it required to activate any other specific logs from the server? Thanks,
I think you could accomplish this a couple of ways. You can either track the Windows Security Event Logs and look for logins/logouts or you could index the Windows PerfMon "\Server\Server Sessions" counter. The issue with trying to show the number of logged in users with the Event Logs is that if your reporting period is not large enough, a user who has been logged in since before that reporting period would not be included in the user count.
I try track the Windows Security Event Logs and look for logins/logouts. But not combie Logs logon and logout?
Ples help!
I think you could accomplish this a couple of ways. You can either track the Windows Security Event Logs and look for logins/logouts or you could index the Windows PerfMon "\Server\Server Sessions" counter. The issue with trying to show the number of logged in users with the Event Logs is that if your reporting period is not large enough, a user who has been logged in since before that reporting period would not be included in the user count.