Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: splunk search for users logging onto servers
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk search for users logging onto servers
Hi,
I have deployed splunk to log data of users who are logging onto servers (unix and windows). I want to create a report that shows users who are not permitted to log onto those servers. I have been given a list of users which are permitted to log on so wanted to create a search which shows user logging on except the permitted users. I am trying to use the following:
- | stats count by User
Please can someone advise what commands to use to included the list of permitted users i have and to exempt them from the search result?
Regards,
Chetan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
thanks the following worked:
EventCode=18453 | search NOT [ | inputlookup allowed_users.csv ] | stats count by User
however the header of the CSV file should be User to match the syslog message.
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yuou can rename the field name in subsearch. That way you can keep your csv headers same as before.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
,Hi,
thanks for your assistance. is there any particular place the allowed_user.csv would need to be? for example if i am on a Terminal Server and running Splunk HTTP can that csv be somewhere on that terminal server and i direct the lookup to it?
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think that your user.csv must be placed in $SPLUNK_HOME/ etc/system/lookups
on your splunk server and you need to add some stanzas to the $SPLUNK_HOME/ etc/system/transforms.conf
somthing like that:
[allowed_users]
filename=user.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this (assuming you have the list of permitted users and configured it as lookup, say allowed_users.csv)
your base search giving all users | search NOT [ |inputlookup allowed_users.csv | table User] | stats count as LoginCount by User
This should show you Login count for the users which are not present in the allowed_users.csv which users which are allowed.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
