Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to see how many users are currently logged in to a server, monitored in Splunk?

B83896
New Member
‎02-15-2016 05:28 AM

Hello. Lately, we have started monitoring Windows server in Splunk. I have created a few dashboards with basins windows performance checkers. I want also to create a dashboard/report to see how many users are currently logged on to the server, which is monitored in Splunk? What type of search do I need to undertake? Is it required to activate any other specific logs from the server? Thanks,

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vasildavid
Path Finder
‎02-15-2016 01:43 PM

I think you could accomplish this a couple of ways. You can either track the Windows Security Event Logs and look for logins/logouts or you could index the Windows PerfMon "\Server\Server Sessions" counter. The issue with trying to show the number of logged in users with the Event Logs is that if your reporting period is not large enough, a user who has been logged in since before that reporting period would not be included in the user count.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

nguyengiap00tha
New Member
‎08-08-2018 04:05 AM

I try track the Windows Security Event Logs and look for logins/logouts. But not combie Logs logon and logout?
Ples help!

0 Karma
Reply
Solved! Jump to solution
Solution

vasildavid
Path Finder
‎02-15-2016 01:43 PM

I think you could accomplish this a couple of ways. You can either track the Windows Security Event Logs and look for logins/logouts or you could index the Windows PerfMon "\Server\Server Sessions" counter. The issue with trying to show the number of logged in users with the Event Logs is that if your reporting period is not large enough, a user who has been logged in since before that reporting period would not be included in the user count.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
Top