Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search user concurrent logins on unique hosts?

jayygee3
Engager
‎01-12-2023 03:41 PM

I'm hoping to get some help or direction. I have seen a few different forum posts where the search pulled how many concurrent sessions were happening at a time. (General count of sessions occurring at a given time) I somewhat get that done with this search:

index=main EventCode=4624 
| eval Account=mvindex(Account_Name,1)
| eventstats dc(host) AS Logins by Account
| where Logins > 1
| timechart count(Logins) BY Account

I am hoping to pivot into a search with more detail such as Account login session duration and any overlap in sessions from unique hosts. The goal is to pinpoint potentially shared credentials for further investigation. I have played with transaction a bit, but can't seem to get it to work the way I need and have read many posts advising against this command due to resource usage.  Any tips for a Splunk Newb?

Labels (4)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-12-2023 04:15 PM

Session 'duration' is a fun one, as you need to be able to determine what constitutes the 'end' of the session.

The advice round 'transaction' is good - avoid where possible, it's rarely necessary and almost never the solution for looking for long lived things.

streamstats and stats are generally what you can use. 

Here's a recent post on doing something similar, which gives examples of how you can build things

https://community.splunk.com/t5/Splunk-Search/How-to-calculate-session-times-from-large-data-set/m-p...

 

 

Reply

jayygee3
Engager
‎01-12-2023 04:29 PM

@bowesmana thanks! I read through the thread and I think I am starting to get a better idea of how to approach my situation. Appreciate the quick response!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...