Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to see how many users are currently logged in to a server, monitored in Splunk?

B83896
New Member
‎02-15-2016 05:28 AM

Hello. Lately, we have started monitoring Windows server in Splunk. I have created a few dashboards with basins windows performance checkers. I want also to create a dashboard/report to see how many users are currently logged on to the server, which is monitored in Splunk? What type of search do I need to undertake? Is it required to activate any other specific logs from the server? Thanks,

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vasildavid
Path Finder
‎02-15-2016 01:43 PM

I think you could accomplish this a couple of ways. You can either track the Windows Security Event Logs and look for logins/logouts or you could index the Windows PerfMon "\Server\Server Sessions" counter. The issue with trying to show the number of logged in users with the Event Logs is that if your reporting period is not large enough, a user who has been logged in since before that reporting period would not be included in the user count.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

nguyengiap00tha
New Member
‎08-08-2018 04:05 AM

I try track the Windows Security Event Logs and look for logins/logouts. But not combie Logs logon and logout?
Ples help!

0 Karma
Reply
Solved! Jump to solution
Solution

vasildavid
Path Finder
‎02-15-2016 01:43 PM

I think you could accomplish this a couple of ways. You can either track the Windows Security Event Logs and look for logins/logouts or you could index the Windows PerfMon "\Server\Server Sessions" counter. The issue with trying to show the number of logged in users with the Event Logs is that if your reporting period is not large enough, a user who has been logged in since before that reporting period would not be included in the user count.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...