Solved: Re: How to Monitor 3 Users

woodlandrelic · ‎02-17-2023

Hi

My system is Linux. Am trying to monitor 3 users in an index. The last time they login, IP address etc. There are over 180+ user. How do I get the search to show just the three users I want e.g James Peter and John?

Thanks

PaulPanther · ‎02-17-2023

Hi @woodlandrelic

if they fields for user, login time and IP address are already extracted you could set up a search like that

index=abc user IN (James,Peter,John)
|stats latest(login_time) by ip_address, user

View solution in original post

PaulPanther · ‎02-17-2023

Hi @woodlandrelic

if they fields for user, login time and IP address are already extracted you could set up a search like that

index=abc user IN (James,Peter,John)
|stats latest(login_time) by ip_address, user

woodlandrelic · ‎02-17-2023

@PaulPanther

Thanks. I have another user am monitoring in another index. Is there a way to combine both or will have to save them as a report individually?

PaulPanther · ‎02-17-2023

You could combine both indexes like

(index=abc OR index=def) user IN (James,Peter,John)
|stats latest(login_time) by ip_address, user

But that's a bit theoretical because I don't know if the data source or format that you wanna search through is the same. Feel free to provide some more information about the events.

woodlandrelic · ‎02-17-2023

@PaulPanther

Fantastic! It worked. I will find my way from here. Appreciate the quick help. Thanks

How to monitor three users?

fields

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?