Splunk Search

How to search user concurrent logins on unique hosts?


I'm hoping to get some help or direction. I have seen a few different forum posts where the search pulled how many concurrent sessions were happening at a time. (General count of sessions occurring at a given time) I somewhat get that done with this search:

index=main EventCode=4624 
| eval Account=mvindex(Account_Name,1)
| eventstats dc(host) AS Logins by Account
| where Logins > 1
| timechart count(Logins) BY Account

I am hoping to pivot into a search with more detail such as Account login session duration and any overlap in sessions from unique hosts. The goal is to pinpoint potentially shared credentials for further investigation. I have played with transaction a bit, but can't seem to get it to work the way I need and have read many posts advising against this command due to resource usage.  Any tips for a Splunk Newb?

Labels (4)
0 Karma


Session 'duration' is a fun one, as you need to be able to determine what constitutes the 'end' of the session.

The advice round 'transaction' is good - avoid where possible, it's rarely necessary and almost never the solution for looking for long lived things.

streamstats and stats are generally what you can use. 

Here's a recent post on doing something similar, which gives examples of how you can build things





@bowesmana thanks! I read through the thread and I think I am starting to get a better idea of how to approach my situation. Appreciate the quick response!

0 Karma
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...