Splunk Search

Is someone have any ideas about getting more precise detail on a single user logging in on more than one device to multiple devices in a better perspective?

Path Finder

I am somewhat baffled by what is returned when this search is executed. I know I can hide the OTHER or NULL values but I get tons of single users, with Login IP and Domain Controllers but the search is so big its truncated. In fact, I can't differentiate which is the Source IP's of the user's devices and the target devices nor do I have any thoughts on how to properly visualize this with a drill down for management because it does't make much sense. I;m truly baffled.

In simplicity, I would like to see INDIVIDUAL USERS that are logged into more than once device and what host()S or IP addresses they are currently logged on too rather than the domain controllers or what the count is. Length of login is fine but the others needs comes first. I know there more be a way and trying to visualize this is a mess. There must be a way to do this and then drill down on that user so we can see who is accessing what. This is the search I have so far.

If anyone has any feedback or suggestions to my query, by all means please do comment because I am totally baffled and need an answer. Thank you all, you guys are the best and I hope to be as good as you some day.


0 Karma

Path Finder

You should append "| stats dc()" to your search query, and remove users with single device.
Try to append this query to your search:

| stats dc(host) as unique_device_count, last(host) as current_device by Account_Name | SEARCH unique_device_count > 1
| TABLE Account_Name, unique_device_count, current_device

0 Karma


Yeah, more detail is needed. However, it sounds like you are using timechart which might not be the best for this type of report.

..|stats count(logins) as COUNT by logins, sourceip, _time

0 Karma


Did you mean to include you current search?

Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...