Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to Monitor 3 Users
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodlandrelic
Path Finder
02-17-2023
01:33 AM
Hi
My system is Linux. Am trying to monitor 3 users in an index. The last time they login, IP address etc. There are over 180+ user. How do I get the search to show just the three users I want e.g James Peter and John?
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PaulPanther
Motivator
02-17-2023
02:05 AM
if they fields for user, login time and IP address are already extracted you could set up a search like that
index=abc user IN (James,Peter,John)
|stats latest(login_time) by ip_address, user- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PaulPanther
Motivator
02-17-2023
02:05 AM
if they fields for user, login time and IP address are already extracted you could set up a search like that
index=abc user IN (James,Peter,John)
|stats latest(login_time) by ip_address, user- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodlandrelic
Path Finder
02-17-2023
04:12 AM
Thanks. I have another user am monitoring in another index. Is there a way to combine both or will have to save them as a report individually?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PaulPanther
Motivator
02-17-2023
04:21 AM
You could combine both indexes like
(index=abc OR index=def) user IN (James,Peter,John)
|stats latest(login_time) by ip_address, user
But that's a bit theoretical because I don't know if the data source or format that you wanna search through is the same. Feel free to provide some more information about the events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodlandrelic
Path Finder
02-17-2023
04:29 AM
Fantastic! It worked. I will find my way from here. Appreciate the quick help. Thanks
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
