Solved: How to monitor three users?

woodlandrelic · ‎02-17-2023

Hi

My system is Linux. Am trying to monitor 3 users in an index. The last time they login, IP address etc. There are over 180+ user. How do I get the search to show just the three users I want e.g James Peter and John?

Thanks

PaulPanther · ‎02-17-2023

Hi @woodlandrelic

if they fields for user, login time and IP address are already extracted you could set up a search like that

index=abc user IN (James,Peter,John)
|stats latest(login_time) by ip_address, user

View solution in original post

PaulPanther · ‎02-17-2023

Hi @woodlandrelic

if they fields for user, login time and IP address are already extracted you could set up a search like that

index=abc user IN (James,Peter,John)
|stats latest(login_time) by ip_address, user

woodlandrelic · ‎02-17-2023

@PaulPanther

Thanks. I have another user am monitoring in another index. Is there a way to combine both or will have to save them as a report individually?

PaulPanther · ‎02-17-2023

You could combine both indexes like

(index=abc OR index=def) user IN (James,Peter,John)
|stats latest(login_time) by ip_address, user

But that's a bit theoretical because I don't know if the data source or format that you wanna search through is the same. Feel free to provide some more information about the events.

woodlandrelic · ‎02-17-2023

@PaulPanther

Fantastic! It worked. I will find my way from here. Appreciate the quick help. Thanks

How to monitor three users?

fields

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025

Are you a member of the Splunk Community?

How to monitor three users?

fields

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025