Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can i find a full list of Users using IP address

robertlynch2020
Influencer
‎11-03-2017 04:07 AM

Hi

I have the below command that i think works 95% of the time.

index=_internal sourcetype=splunkd_ui_access | stats count by clientip , user , _time | lookup dnslookup clientip | timechart span=1d distinct_count(clienthost) by clienthost limit=100

The issues is sometime is reports users that did not use the system. I think this might be because of IP address changing. However i am not 100% about this.

Any help would be brill.

0 Karma
Reply

horsefez
Motivator
‎11-03-2017 05:24 AM

Hi,

The issues is sometime is reports users that did not use the system. I think this might be because of IP address changing. However i am not 100% about this.

This doesn't sound right... how should splunk know about the names of other users that didn't access the instance??

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-03-2017 05:20 AM

Hi robertlynch2020,
surely IP address changes because is assigned by a dns.
Anyway you could create a lookup with a list of all users.
You could maintain this lookup with a scheduled search or an extraction from Active Directory.
If you have this lookup you can check the users in your search and list the ones not present:

index=_internal sourcetype=splunkd_ui_access
| eval user=lower(user)
| stats count BY user
| append [ | inputlookup user_lookup.csv | eval user=lower(user), count=0 | fields user count ]
| stats sum(count) AS Total by user

In this way users with Total=0 are missed and users with Total greater than 0 are present.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...