Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find an active user session on different machines at the same time?

guimilare
Communicator
‎03-09-2017 07:21 AM

Hello Splunkers.

Using the wineventlog I can tell when a user logged on and off based on EventCodes 4624 and 4634 and the logon id:

Logon:

03/09/2017 11:54:51 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=xxxxxxxxxx
TaskCategory=Logon
OpCode=Info
RecordNumber=xxxxx
Keywords=Audit Success
Message=An account was successfully logged on.
...
New Logon:
Security ID:        XXX\visit
Account Name:       visit
Account Domain:     XXX
Logon ID:       0xA2207D111

Logoff

03/09/2017 12:11:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=xxxxxx
TaskCategory=Logoff
OpCode=Info
RecordNumber=xxxxxx
Keywords=Audit Success
Message=An account was logged off.

Subject:
    Security ID:        XXX\visit
    Account Name:       visit
    Account Domain:     XXX
    Logon ID:       0xA2207D111

However, I need to know when exists the same Account Name using two machines, I mean, when there are two sessions active at the same time.

Any ideas how can I do this?

Regards,
GMA

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-09-2017 11:33 AM

Try this:

... | streamstats current=f last(EventCode) AS nextEventCode BY user
| reverse
| streamstats current=f last(EventCode) AS prevEventCode BY user
| reverse
| search (EventCode=4624 AND prevEventCode=4624) OR (EventCode=4624 AND nextEventCode=4624)

This shows you any time any user has 2 logins (4624) without a logout between them (4634). This is a HUGE shortcut.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-09-2017 11:33 AM

Try this:

... | streamstats current=f last(EventCode) AS nextEventCode BY user
| reverse
| streamstats current=f last(EventCode) AS prevEventCode BY user
| reverse
| search (EventCode=4624 AND prevEventCode=4624) OR (EventCode=4624 AND nextEventCode=4624)

This shows you any time any user has 2 logins (4624) without a logout between them (4634). This is a HUGE shortcut.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-09-2017 07:28 AM

You need the concurrency command:

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Concurrency

0 Karma
Reply
Solved! Jump to solution

guimilare
Communicator
‎03-09-2017 09:12 AM

I tried this:

index="myindex_wineventlog" user=visit (EventCode=4624 OR EventCode=4634) | rex field=_raw .*(?<tr_id>0x\w{9}) | transaction tr_id | concurrency duration=duration

However, this search brings the durations of the sessions, and not the sessions that overlaps...

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...