Concurrent logons from different workstations

Splunk Search

I have a requirement to see which users have logged into multiple servers before logging out of the previous server.

I currently have this Search Set up:

index="fed-prod"   L_Action="New session"
| stats values(L_Server) as Linux_Server dc(L_Server) as host_count by L_user
|where host_count > 1

This search finds all the users who have logged to multiple servers but does tell me if they have logged out of the other server first or allow me to narrow the time down to within a certain window. I currently do not have a active feed into splunk and upload data manually do to licensing restrictions

The report would need to be ran weekly. I would like to do this one of two ways. First option would be add in a time premaster to the current above search that checks the time stamp of the log for it to be within a 15 minute window if the user logged into two. If the time stamps of the two logs are within 15 minutes it out puts a finding of the User and servers it logged into.

The second option would be to to do some sort of sub search. that would check to see which users logged in to what servers. then check to see if they logged out before logging into another one.

Get Updates on the Splunk Community!

Concurrent logons from different workstations

stats

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Are you a member of the Splunk Community?

Concurrent logons from different workstations

stats

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!