Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write a query to find out users who logged into remote servers

liz23
New Member
‎06-12-2017 06:27 AM

When I write a query in splunk, I get results that also contain the intermediate active directory entries. I just need the username and the remote server he logged into in a single entry in a table without the active directory records. How do I tie these two things up.

0 Karma
Reply

DalJeanis
Legend
‎06-14-2017 11:09 AM

The answer is generally -
(1) find the format and identifying features of the records that contain information you need.
(2) find the format and identifying features of the records that do NOT contain information you need.
(3) write a query that retrieves the first group, eliminates the second group, and then processes the results to the format you want.

So, how do you find the format and identifying features of the records you want?

It sounds like you already have examples, just too many of them.

So, here's the steps

A) Pick ONE particular logon - one time when one user logged onto one computer and then logged through into another. Select all the events, including the ones that you don't need.

B) Anonymize this data by removing confidential information, masking IPs, changing the username and hostnames, and so on.

C) Post this non-confidential transaction data here in your question, along with your current search code. Be sure to mark the code and sample data both as code so that nothing gets altered by the interface.

D) Create and post the layout that you would like to see this information end up in.

Then we can tell you how to mate that all up into a search, perhaps using stats or perhaps transaction, to get what you need.

0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...