Solved: How to review how many servers a user logged into ...

rcastello · ‎12-05-2019

Hello,

How can I compile a stats list of what servers a user account has logged into within a specific time period? I was surprised I couldn't find a similar answer that solved this.

Thank you.

gcusello · ‎12-05-2019

Hi @rcastello,
try something like this (for Windows Operative Systems):

index=wineventlog EventCode=4624
| stats values(host) AS host count BY Account_name

in this way you have a list of hosts for each user.

If instead you want to search a specific account, you could run something like this

index=wineventlog EventCode=4624 Account_name="xxxxxxxx"
| stats count BY host

that you can insert in a dashboard.

In both cases, check the name of the field Account_name because it could be different in your Windows (e.g. in Italy is frequently Nome_account).

Ciao.
Giuseppe

View solution in original post

gcusello · ‎12-05-2019

Hi @rcastello,
try something like this (for Windows Operative Systems):

index=wineventlog EventCode=4624
| stats values(host) AS host count BY Account_name

in this way you have a list of hosts for each user.

If instead you want to search a specific account, you could run something like this

index=wineventlog EventCode=4624 Account_name="xxxxxxxx"
| stats count BY host

that you can insert in a dashboard.

In both cases, check the name of the field Account_name because it could be different in your Windows (e.g. in Italy is frequently Nome_account).

Ciao.
Giuseppe

How to review how many servers a user logged into within a specific time period

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms