I'm hoping to get some help or direction. I have seen a few different forum posts where the search pulled how many concurrent sessions were happening at a time. (General count of sessions occurring at a given time) I somewhat get that done with this search:
index=main EventCode=4624
| eval Account=mvindex(Account_Name,1)
| eventstats dc(host) AS Logins by Account
| where Logins > 1
| timechart count(Logins) BY Account
I am hoping to pivot into a search with more detail such as Account login session duration and any overlap in sessions from unique hosts. The goal is to pinpoint potentially shared credentials for further investigation. I have played with transaction a bit, but can't seem to get it to work the way I need and have read many posts advising against this command due to resource usage. Any tips for a Splunk Newb?
Session 'duration' is a fun one, as you need to be able to determine what constitutes the 'end' of the session.
The advice round 'transaction' is good - avoid where possible, it's rarely necessary and almost never the solution for looking for long lived things.
streamstats and stats are generally what you can use.
Here's a recent post on doing something similar, which gives examples of how you can build things
@bowesmana thanks! I read through the thread and I think I am starting to get a better idea of how to approach my situation. Appreciate the quick response!