Hello all,
I have the following search:
index="vpn_gateway" eventtype="vpn-authall" |
stats dc(vpnuid) by vpnclient |
search "dc(vpnuid)" > 1 |
fields vpnclient, dc(vpnuid) |
sort -dc(vpnuid)
This command searches our VPN index for any authentication events, counts them by source IP addresses, and if a particular IP has signed in on 2 or more accounts, the IP address and number of users is returned:
vpnclient | dc(vpnuid)
10.0.8.1 | 2
10.0.2.2 | 3
What I'd like to do is also include the ID of the users. The output should look as follows:
vpnclient | dc(vpnuid) | userid
10.0.8.1 | 2 | jsmith, smatthews
10.0.2.2 | 3 | bcarol, jjefferson,jsmith
Is this possible? I'm at a loss.
... View more