Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write a query to find out users who logged into remote servers

liz23
New Member
‎06-12-2017 06:27 AM

When I write a query in splunk, I get results that also contain the intermediate active directory entries. I just need the username and the remote server he logged into in a single entry in a table without the active directory records. How do I tie these two things up.

0 Karma
Reply

DalJeanis
Legend
‎06-14-2017 11:09 AM

The answer is generally -
(1) find the format and identifying features of the records that contain information you need.
(2) find the format and identifying features of the records that do NOT contain information you need.
(3) write a query that retrieves the first group, eliminates the second group, and then processes the results to the format you want.

So, how do you find the format and identifying features of the records you want?

It sounds like you already have examples, just too many of them.

So, here's the steps

A) Pick ONE particular logon - one time when one user logged onto one computer and then logged through into another. Select all the events, including the ones that you don't need.

B) Anonymize this data by removing confidential information, masking IPs, changing the username and hostnames, and so on.

C) Post this non-confidential transaction data here in your question, along with your current search code. Be sure to mark the code and sample data both as code so that nothing gets altered by the interface.

D) Create and post the layout that you would like to see this information end up in.

Then we can tell you how to mate that all up into a search, perhaps using stats or perhaps transaction, to get what you need.

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...