Splunk Search

Is someone have any ideas about getting more precise detail on a single user logging in on more than one device to multiple devices in a better perspective?

brian1_tate
Path Finder

I am somewhat baffled by what is returned when this search is executed. I know I can hide the OTHER or NULL values but I get tons of single users, with Login IP and Domain Controllers but the search is so big its truncated. In fact, I can't differentiate which is the Source IP's of the user's devices and the target devices nor do I have any thoughts on how to properly visualize this with a drill down for management because it does't make much sense. I;m truly baffled.

In simplicity, I would like to see INDIVIDUAL USERS that are logged into more than once device and what host()S or IP addresses they are currently logged on too rather than the domain controllers or what the count is. Length of login is fine but the others needs comes first. I know there more be a way and trying to visualize this is a mess. There must be a way to do this and then drill down on that user so we can see who is accessing what. This is the search I have so far.

If anyone has any feedback or suggestions to my query, by all means please do comment because I am totally baffled and need an answer. Thank you all, you guys are the best and I hope to be as good as you some day.

Thx

0 Karma

haley_swarnapat
Path Finder

You should append "| stats dc()" to your search query, and remove users with single device.
Try to append this query to your search:

| stats dc(host) as unique_device_count, last(host) as current_device by Account_Name | SEARCH unique_device_count > 1
| TABLE Account_Name, unique_device_count, current_device

0 Karma

JDukeSplunk
Builder

Yeah, more detail is needed. However, it sounds like you are using timechart which might not be the best for this type of report.

Maybe
..|stats count(logins) as COUNT by logins, sourceip, _time

0 Karma

sundareshr
Legend

Did you mean to include you current search?

Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...