Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Concurrent Logins on multiple Linux servers

pstephens93
Explorer
‎01-11-2021 11:44 AM

Hello

I am trying to find users who have logged into more than one system within the last 30 minutes. I want to return a list of users who have logged into more than one system during that time frame. 

The Stats function of the search does not seem to pull any results after finding all the login sessions after looking at job inspection.  The stats function is suppose to find distinct users where hosts is greater than 1. 

index ="Wawf"  L_Action="New session" earliest=-30min latest=now
|stats dc(L_User) as users dc(Linux_Server) as hosts by L_User,Linux_Server
 |where hosts>1 | table L_User, Linux_Server

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-11-2021 12:32 PM

Hi @pstephens93,

Since you are using both L_User and Linux_Server for group by stats cannot count. Try below query;

index ="Wawf" L_Action="New session" earliest=-30min latest=now 
| stats values(Linux_Server) as Linux_Server dc(Linux_Server) as host_count by L_User 
| where host_count>1 
| table L_User, Linux_Server

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-12-2021 09:29 AM

I thought you have a field named Linux_Server field in the logs. Please try below;

index ="Wawf" L_Action="New session" earliest=-30min latest=now 
| stats values(L_Server) as Linux_Server dc(L_Server) as host_count by L_User 
| where host_count>1 
| table L_User, Linux_Server

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-11-2021 12:32 PM

Hi @pstephens93,

Since you are using both L_User and Linux_Server for group by stats cannot count. Try below query;

index ="Wawf" L_Action="New session" earliest=-30min latest=now 
| stats values(Linux_Server) as Linux_Server dc(Linux_Server) as host_count by L_User 
| where host_count>1 
| table L_User, Linux_Server

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

pstephens93
Explorer
‎01-12-2021 10:19 AM

@scelikok  

Thanks for the Help

0 Karma
Reply
Solved! Jump to solution

pstephens93
Explorer
‎01-12-2021 09:06 AM

@scelikok 

I tried the Search you suggested it seems like it is having an issue with this line of code

|where host_count>1

 

When I run the following Command I get 

index="Wawf"   L_Action="New session" earliest=-30min latest=now 
| stats values(L_Server) as Linux_Server dc(Linux_Server) as host_count by L_user

I get a list of users who have logged into multiple servers and single servers during that time frame but host_count does not go above 0.

pstephens93_1-1610471213363.png

 

 

Any idea why that may be? 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

pstephens93
Explorer
‎01-12-2021 11:17 AM

@scelikok 

 

Question for you, This helps me find users who have logged into multiple systems  within the last 30 minutes 

index="Wawf"   L_Action="New session" earliest=-30min latest=now 
| stats values(L_Server) as Linux_Server dc(L_Server) as host_count by L_user
|where host_count > 1

 

How can I expand on  this to track to see if the User logged off before logging into another system? Would that be a completely different search?

If  user logs into server1 then logs into sever2 :  this is a finding.
If user logs into server1, logs off, then logs into server2 : this is not a finding

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...