Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to Monitor 3 Users
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodlandrelic
Path Finder
02-17-2023
01:33 AM
Hi
My system is Linux. Am trying to monitor 3 users in an index. The last time they login, IP address etc. There are over 180+ user. How do I get the search to show just the three users I want e.g James Peter and John?
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PaulPanther
Motivator
02-17-2023
02:05 AM
if they fields for user, login time and IP address are already extracted you could set up a search like that
index=abc user IN (James,Peter,John)
|stats latest(login_time) by ip_address, user- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PaulPanther
Motivator
02-17-2023
02:05 AM
if they fields for user, login time and IP address are already extracted you could set up a search like that
index=abc user IN (James,Peter,John)
|stats latest(login_time) by ip_address, user- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodlandrelic
Path Finder
02-17-2023
04:12 AM
Thanks. I have another user am monitoring in another index. Is there a way to combine both or will have to save them as a report individually?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PaulPanther
Motivator
02-17-2023
04:21 AM
You could combine both indexes like
(index=abc OR index=def) user IN (James,Peter,John)
|stats latest(login_time) by ip_address, user
But that's a bit theoretical because I don't know if the data source or format that you wanna search through is the same. Feel free to provide some more information about the events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodlandrelic
Path Finder
02-17-2023
04:29 AM
Fantastic! It worked. I will find my way from here. Appreciate the quick help. Thanks
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
