Splunk Search

How to search for accounts where users (ex: Active Directory) that are logged in two or more times at the same time?

New Member

Forgive me for this question, but I am new with Splunk.

We are looking to see if we can use Splunk to locate accounts (Active Directory for example) where there are multiple simultaneous logins. For example, we want to know if JSMITH is logged in twice (or more) at the same time. Since we prohibit that, we want to report on it. Any ideas how we can do this and yet minimize false positives?

Thanks!

0 Karma

Splunk Employee
Splunk Employee

Are you running Splunk, or Splunk Light? Splunk Light doesn't support the App for Windows infrastructure (codifies these types of questions) but you can still use a basic search to do this.

There are couple of answers that address similar questions:
https://answers.splunk.com/answers/5928/search-query-for-multiple-login-done-by-more-than-one-pc.htm...
https://answers.splunk.com/answers/301152/how-to-search-a-list-of-users-that-have-logged-in.html

Hope this helps.

0 Karma

Legend

Have you looked at Splunk App for Windows Infrastructure app? https://splunkbase.splunk.com/app/1680/

0 Karma

New Member

Many thanks- I have not yet, but will check this out.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!