Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to search user concurrent logins on unique hosts?

jayygee3
Engager
‎01-12-2023 03:41 PM

I'm hoping to get some help or direction. I have seen a few different forum posts where the search pulled how many concurrent sessions were happening at a time. (General count of sessions occurring at a given time) I somewhat get that done with this search:

index=main EventCode=4624 
| eval Account=mvindex(Account_Name,1)
| eventstats dc(host) AS Logins by Account
| where Logins > 1
| timechart count(Logins) BY Account

I am hoping to pivot into a search with more detail such as Account login session duration and any overlap in sessions from unique hosts. The goal is to pinpoint potentially shared credentials for further investigation. I have played with transaction a bit, but can't seem to get it to work the way I need and have read many posts advising against this command due to resource usage.  Any tips for a Splunk Newb?

Labels (4)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-12-2023 04:15 PM

Session 'duration' is a fun one, as you need to be able to determine what constitutes the 'end' of the session.

The advice round 'transaction' is good - avoid where possible, it's rarely necessary and almost never the solution for looking for long lived things.

streamstats and stats are generally what you can use. 

Here's a recent post on doing something similar, which gives examples of how you can build things

https://community.splunk.com/t5/Splunk-Search/How-to-calculate-session-times-from-large-data-set/m-p...

 

 

Reply

jayygee3
Engager
‎01-12-2023 04:29 PM

@bowesmana thanks! I read through the thread and I think I am starting to get a better idea of how to approach my situation. Appreciate the quick response!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...