Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write a query to find out users who logged into remote servers

liz23
New Member
‎06-12-2017 06:27 AM

When I write a query in splunk, I get results that also contain the intermediate active directory entries. I just need the username and the remote server he logged into in a single entry in a table without the active directory records. How do I tie these two things up.

0 Karma
Reply

DalJeanis
Legend
‎06-14-2017 11:09 AM

The answer is generally -
(1) find the format and identifying features of the records that contain information you need.
(2) find the format and identifying features of the records that do NOT contain information you need.
(3) write a query that retrieves the first group, eliminates the second group, and then processes the results to the format you want.

So, how do you find the format and identifying features of the records you want?

It sounds like you already have examples, just too many of them.

So, here's the steps

A) Pick ONE particular logon - one time when one user logged onto one computer and then logged through into another. Select all the events, including the ones that you don't need.

B) Anonymize this data by removing confidential information, masking IPs, changing the username and hostnames, and so on.

C) Post this non-confidential transaction data here in your question, along with your current search code. Be sure to mark the code and sample data both as code so that nothing gets altered by the interface.

D) Create and post the layout that you would like to see this information end up in.

Then we can tell you how to mate that all up into a search, perhaps using stats or perhaps transaction, to get what you need.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...