How to search for a user and then be able to see t...

whitt · ‎05-17-2017

How would i search for a user and then be able to see the computer he/she is logging into?

DalJeanis · ‎05-18-2017

First, do this ...

index=wineventlog ("4624" OR "4648") | head 3

Look at the returned events and find the names of the fields for EventID, Account_Name, host

Then do something like this (modify field names as needed) ...

index=wineventlog (EventID=528 OR EventID=540 OR EventID=552 OR EventID=4624 OR EventID=4648) 
Account_Name="userid"

Check the interesting fields and verify if the host has been extracted correctly.

Because I am in a massively heterogeneous environment, dealing with unix and windows OSs going back quite a few versions, my search time extraction of those fields and a couple of others is actually about 35 lines long. Hopefully, you only have to deal with a couple of versions of windows, and the 3-digit EventIDs are not even relevant to you.

whitt · ‎05-18-2017

index= wineventlog

rphillips_splk · ‎05-17-2017

@whitt do you know what index the events live in and if the event contains the information you are looking for all in one event? Providing a sample event would be a good place to start so we can help you construct the search.

How to search for a user and then be able to see the computer he/she is logging into?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!