Splunk Search

How can I use login and logout events for specific UserIDs to determine concurrent users at a given time?

purcell12491
Loves-to-Learn

These are the fields I'm using - Body, ATNVersion, operatingsystem, osversion, MID 

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. Your problem is not clearly specified. You might want to find out how many users are logged in at some given point in time or which ones are logged in (also possibly counting or not duplicate logins).

2. Do you have a separate login and logout events?

3. Remember that as you're logging only login and logout events you won't find sessions which "overlap" your search time range. For example - if your user logged in at 9am and logged out at 12pm you won't find this session if you only search through 10am-11am because you have no events regarding this session during that time range. (this problem can be alleviated for specific use cases by using summary indexing).

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @purcell12491 ,

could you beter describe your requirement: operative systems, fields used, etc...?

Ciao.

Giuseppe

0 Karma

KendallW
Contributor
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...