Splunk Search

How to monitor three users?

woodlandrelic
Path Finder

Hi 

My system is Linux.  Am trying to monitor 3 users in an index.  The last time they login, IP address etc. There are over 180+ user. How do I get the search to show just the three users I want e.g James Peter and John?

Thanks

Labels (1)
0 Karma
1 Solution

PaulPanther
Motivator

Hi @woodlandrelic 

if they fields for user, login time and IP address are already extracted you could set up a search like that

index=abc user IN (James,Peter,John)
|stats latest(login_time) by ip_address, user

View solution in original post

PaulPanther
Motivator

Hi @woodlandrelic 

if they fields for user, login time and IP address are already extracted you could set up a search like that

index=abc user IN (James,Peter,John)
|stats latest(login_time) by ip_address, user

woodlandrelic
Path Finder

@PaulPanther 

Thanks. I have another user am monitoring in another index. Is there a way to combine both or will have to save them as a report individually?

0 Karma

PaulPanther
Motivator

You could combine both indexes like

 

(index=abc OR index=def) user IN (James,Peter,John)
|stats latest(login_time) by ip_address, user

 

But that's a bit theoretical because I don't know if the data source  or format that you wanna search through is the same. Feel free to provide some more information about the events.

woodlandrelic
Path Finder

@PaulPanther 

Fantastic! It worked. I will find my way from here. Appreciate the quick help. Thanks

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...