Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is someone have any ideas about getting more precise detail on a single user logging in on more than one device to multiple devices in a better perspective?

brian1_tate
Path Finder
‎09-07-2016 01:58 PM

I am somewhat baffled by what is returned when this search is executed. I know I can hide the OTHER or NULL values but I get tons of single users, with Login IP and Domain Controllers but the search is so big its truncated. In fact, I can't differentiate which is the Source IP's of the user's devices and the target devices nor do I have any thoughts on how to properly visualize this with a drill down for management because it does't make much sense. I;m truly baffled.

In simplicity, I would like to see INDIVIDUAL USERS that are logged into more than once device and what host()S or IP addresses they are currently logged on too rather than the domain controllers or what the count is. Length of login is fine but the others needs comes first. I know there more be a way and trying to visualize this is a mess. There must be a way to do this and then drill down on that user so we can see who is accessing what. This is the search I have so far.

If anyone has any feedback or suggestions to my query, by all means please do comment because I am totally baffled and need an answer. Thank you all, you guys are the best and I hope to be as good as you some day.

Thx

0 Karma
Reply

haley_swarnapat
Path Finder
‎09-09-2016 03:27 AM

You should append "| stats dc()" to your search query, and remove users with single device.
Try to append this query to your search:

| stats dc(host) as unique_device_count, last(host) as current_device by Account_Name | SEARCH unique_device_count > 1
| TABLE Account_Name, unique_device_count, current_device

0 Karma
Reply

JDukeSplunk
Builder
‎09-08-2016 11:33 PM

Yeah, more detail is needed. However, it sounds like you are using timechart which might not be the best for this type of report.

Maybe
..|stats count(logins) as COUNT by logins, sourceip, _time

0 Karma
Reply

sundareshr
Legend
‎09-07-2016 02:25 PM

Did you mean to include you current search?

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...