Splunk Search

Concurrent Logins on multiple Linux servers

pstephens93
Explorer

Hello

I am trying to find users who have logged into more than one system within the last 30 minutes. I want to return a list of users who have logged into more than one system during that time frame. 

The Stats function of the search does not seem to pull any results after finding all the login sessions after looking at job inspection.  The stats function is suppose to find distinct users where hosts is greater than 1. 

index ="Wawf"  L_Action="New session" earliest=-30min latest=now
|stats dc(L_User) as users dc(Linux_Server) as hosts by L_User,Linux_Server
 |where hosts>1 | table L_User, Linux_Server

 

 

Labels (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @pstephens93,

Since you are using both L_User and Linux_Server for group by stats cannot count. Try below query;

index ="Wawf" L_Action="New session" earliest=-30min latest=now 
| stats values(Linux_Server) as Linux_Server dc(Linux_Server) as host_count by L_User 
| where host_count>1 
| table L_User, Linux_Server

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

I thought you have a field named Linux_Server field in the logs. Please try below;

index ="Wawf" L_Action="New session" earliest=-30min latest=now 
| stats values(L_Server) as Linux_Server dc(L_Server) as host_count by L_User 
| where host_count>1 
| table L_User, Linux_Server

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @pstephens93,

Since you are using both L_User and Linux_Server for group by stats cannot count. Try below query;

index ="Wawf" L_Action="New session" earliest=-30min latest=now 
| stats values(Linux_Server) as Linux_Server dc(Linux_Server) as host_count by L_User 
| where host_count>1 
| table L_User, Linux_Server

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

pstephens93
Explorer

@scelikok  

Thanks for the Help

0 Karma

pstephens93
Explorer

@scelikok 

I tried the Search you suggested it seems like it is having an issue with this line of code

|where host_count>1

 

When I run the following Command I get 

index="Wawf"   L_Action="New session" earliest=-30min latest=now 
| stats values(L_Server) as Linux_Server dc(Linux_Server) as host_count by L_user

I get a list of users who have logged into multiple servers and single servers during that time frame but host_count does not go above 0.

pstephens93_1-1610471213363.png

 

 

Any idea why that may be? 

Tags (1)
0 Karma

pstephens93
Explorer

@scelikok 

 

Question for you, This helps me find users who have logged into multiple systems  within the last 30 minutes 

index="Wawf"   L_Action="New session" earliest=-30min latest=now 
| stats values(L_Server) as Linux_Server dc(L_Server) as host_count by L_user
|where host_count > 1

 

How can I expand on  this to track to see if the User logged off before logging into another system? Would that be a completely different search?

If  user logs into server1 then logs into sever2 :  this is a finding.
If user logs into server1, logs off, then logs into server2 : this is not a finding

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...