Solved: Re: How can I find users logged on some PCs if PCs...

AlexeySh · ‎03-26-2019

Hello,

I'm trying to create a list of users who use a particular software, lest say Notepad 7.6.3. I can easily find the PCs where software is installed:

index=my_software_list software_name=“Notepad 7.6.3” | table dns_name

Now I’m thinking to simply use Windows Security logs and find user who was connected to these PCs. Something like:

index=windows_security EventCode=4624 dns_name=??? | table user

The question is how can I put all PCs found in my previous search to this query? Should I use join left? Should I export the results of the first search to a lookup and then perform inputllokup in a separate one? Any other idea?

Thanks for the help.

Regards,
Alex.

somesoni2 · ‎03-26-2019

Give this a try

index=windows_security EventCode=4624 [search index=my_software_list software_name="Notepad 7.6.3" |stats count by dns_name |  table dns_name] | table user

View solution in original post

somesoni2 · ‎03-26-2019

Give this a try

index=windows_security EventCode=4624 [search index=my_software_list software_name="Notepad 7.6.3" |stats count by dns_name |  table dns_name] | table user

AlexeySh · ‎03-27-2019

Gorgeous!

Thanks for the help.

How can I find users logged on some PCs if PCs list is a result of a different search?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!