Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to review how many servers a user logged into within a specific time period

rcastello
Explorer
‎12-05-2019 02:34 PM

Hello,

How can I compile a stats list of what servers a user account has logged into within a specific time period? I was surprised I couldn't find a similar answer that solved this.

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-05-2019 11:47 PM

Hi @rcastello,
try something like this (for Windows Operative Systems):

index=wineventlog EventCode=4624
| stats values(host) AS host count BY Account_name

in this way you have a list of hosts for each user.

If instead you want to search a specific account, you could run something like this

index=wineventlog EventCode=4624 Account_name="xxxxxxxx"
| stats count BY host

that you can insert in a dashboard.

In both cases, check the name of the field Account_name because it could be different in your Windows (e.g. in Italy is frequently Nome_account).

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-05-2019 11:47 PM

Hi @rcastello,
try something like this (for Windows Operative Systems):

index=wineventlog EventCode=4624
| stats values(host) AS host count BY Account_name

in this way you have a list of hosts for each user.

If instead you want to search a specific account, you could run something like this

index=wineventlog EventCode=4624 Account_name="xxxxxxxx"
| stats count BY host

that you can insert in a dashboard.

In both cases, check the name of the field Account_name because it could be different in your Windows (e.g. in Italy is frequently Nome_account).

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...