Join the Conversation
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- I need to find a way to search for users that are ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to find a way to search for users that are logged into more than one hosts to entirely different hosts
This search doesn't really give me what an need nor does the ES-TA. I need to figure out how I can determine if a single user is or has logged into more that one host from totally different devices over the day. I have some ideas but this seems slightly storage to write a search. Here's what I have
I managed to create the report using this search
index="oswinsec" (EventCode=540 OR EventCode=4624) NOT (user=*$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown)
| stats dc(src_ip) as Number_logged_hosts, values(src_ip) as "Logins IPs, values(dvc) as "Domains Controller", count by user
| rename user as Users, count as Total_time_logged_in
| where Number_logged_hosts>1
| sort -Number_logged_hosts Users
Will something like this work for the single condition and how would I modify it to if the user is also logged in PTO one or more devices using the same user name?
Thx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this
updated typos
index="oswinsec" (EventCode=540 OR EventCode=4624) NOT (user=*$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown) | bucket span=1d _time
| stats dc(src_ip) as Number_logged_hosts, values(src_ip) as "Logins IPs" , values(dvc) as "Domains Controller", count as Total_time_logged_in by _time user | where Number_logged_hosts>1
| rename user as Users, count as
| sort -Number_logged_hosts Users
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, that's a start somesoni2 - Thank you. Aside from where I am getting unbalanced quotes (Logins IP's) I believe
I then am thrown the following
Error in 'stats' command: The argument 'Total_time_logged_in' is invalid.
Anyone else have thoughts on this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2 I forgot to say a big thanks!~
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well this search will execute however I'm baffled why it believes the above argument is invalid
index=oswinsec (EventCode=540 OR EventCode=4624) NOT (user=*$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown)
| stats dc(src_ip) as Number_logged_hosts, values(src_ip) as "Logins IPs", values(dvc) as "Domain Controller", count by user
| rename user as Users
| where Number_logged_hosts>1
| sort -Number_logged_hosts Users
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fixed the typos. Give it a try again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm same message - Error in 'stats' command: The argument 'Total_time_logged_in' is invalid.
Data Management Digest – December 2025
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
