Splunk Search

Concurrent Logins on multiple Linux servers

pstephens93
Explorer

Hello

I am trying to find users who have logged into more than one system within the last 30 minutes. I want to return a list of users who have logged into more than one system during that time frame. 

The Stats function of the search does not seem to pull any results after finding all the login sessions after looking at job inspection.  The stats function is suppose to find distinct users where hosts is greater than 1. 

index ="Wawf"  L_Action="New session" earliest=-30min latest=now
|stats dc(L_User) as users dc(Linux_Server) as hosts by L_User,Linux_Server
 |where hosts>1 | table L_User, Linux_Server

 

 

Labels (2)
0 Karma
1 Solution

scelikok
Champion

Hi @pstephens93,

Since you are using both L_User and Linux_Server for group by stats cannot count. Try below query;

index ="Wawf" L_Action="New session" earliest=-30min latest=now 
| stats values(Linux_Server) as Linux_Server dc(Linux_Server) as host_count by L_User 
| where host_count>1 
| table L_User, Linux_Server

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote is appreciated.

View solution in original post

scelikok
Champion

I thought you have a field named Linux_Server field in the logs. Please try below;

index ="Wawf" L_Action="New session" earliest=-30min latest=now 
| stats values(L_Server) as Linux_Server dc(L_Server) as host_count by L_User 
| where host_count>1 
| table L_User, Linux_Server

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote is appreciated.
0 Karma

scelikok
Champion

Hi @pstephens93,

Since you are using both L_User and Linux_Server for group by stats cannot count. Try below query;

index ="Wawf" L_Action="New session" earliest=-30min latest=now 
| stats values(Linux_Server) as Linux_Server dc(Linux_Server) as host_count by L_User 
| where host_count>1 
| table L_User, Linux_Server

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote is appreciated.

View solution in original post

pstephens93
Explorer

@scelikok  

Thanks for the Help

0 Karma

pstephens93
Explorer

@scelikok 

I tried the Search you suggested it seems like it is having an issue with this line of code

|where host_count>1

 

When I run the following Command I get 

index="Wawf"   L_Action="New session" earliest=-30min latest=now 
| stats values(L_Server) as Linux_Server dc(Linux_Server) as host_count by L_user

I get a list of users who have logged into multiple servers and single servers during that time frame but host_count does not go above 0.

pstephens93_1-1610471213363.png

 

 

Any idea why that may be? 

Tags (1)
0 Karma

pstephens93
Explorer

@scelikok 

 

Question for you, This helps me find users who have logged into multiple systems  within the last 30 minutes 

index="Wawf"   L_Action="New session" earliest=-30min latest=now 
| stats values(L_Server) as Linux_Server dc(L_Server) as host_count by L_user
|where host_count > 1

 

How can I expand on  this to track to see if the User logged off before logging into another system? Would that be a completely different search?

If  user logs into server1 then logs into sever2 :  this is a finding.
If user logs into server1, logs off, then logs into server2 : this is not a finding

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!