It would help some of the raw data and/or your current search.
Show a sample log and maybe we can get on with helping.
Hello @RobertKepner - did you manage to get this done ?
I wanted to check - if fortigate logs would be enough to get this done or something else would also be needed ?
I am also planning to achieve the same. i think if i shall make a search query out of fortigate data, i should be able to achieve this..
@saurabh_tek I am not familiar with the fortigate data either. If you can share a couple of events with extracted field names, we can help.
A quick look at the fortigate log documentation says this probably is possible, but so much depends on exactly how you have the device(s) configured, if you have the Splunk Fortigate App installed and so on.
If you could please describe and provide a few examples of what logs you have available and perhaps what search you have that isn't working, we could potentially help you with this.
If it's IIS just grab the ur_stem="*" and whatever is the parsed field for username and then table the results by those same fields ... also include _time