Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search user concurrent logins on unique hosts?

jayygee3
Engager
‎01-12-2023 03:41 PM

I'm hoping to get some help or direction. I have seen a few different forum posts where the search pulled how many concurrent sessions were happening at a time. (General count of sessions occurring at a given time) I somewhat get that done with this search:

index=main EventCode=4624 
| eval Account=mvindex(Account_Name,1)
| eventstats dc(host) AS Logins by Account
| where Logins > 1
| timechart count(Logins) BY Account

I am hoping to pivot into a search with more detail such as Account login session duration and any overlap in sessions from unique hosts. The goal is to pinpoint potentially shared credentials for further investigation. I have played with transaction a bit, but can't seem to get it to work the way I need and have read many posts advising against this command due to resource usage.  Any tips for a Splunk Newb?

Labels (4)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-12-2023 04:15 PM

Session 'duration' is a fun one, as you need to be able to determine what constitutes the 'end' of the session.

The advice round 'transaction' is good - avoid where possible, it's rarely necessary and almost never the solution for looking for long lived things.

streamstats and stats are generally what you can use. 

Here's a recent post on doing something similar, which gives examples of how you can build things

https://community.splunk.com/t5/Splunk-Search/How-to-calculate-session-times-from-large-data-set/m-p...

 

 

Reply

jayygee3
Engager
‎01-12-2023 04:29 PM

@bowesmana thanks! I read through the thread and I think I am starting to get a better idea of how to approach my situation. Appreciate the quick response!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...