If you have a sample search such as the below
sourcetype=HOSTS | stats values(user) as USERS_OF_COMPUTER dc(user) as TOTAL_USERS_OF_COMPUTER by HOSTNAME | where TOTAL_USERS_OF_COMPUTER > 1
You will get a table containing a computer, a list of users associated with this device, and a count of how many users, providing the count is greater than 1.
I want to be able to search for user John.Smith, and come up with all the computers that contain John.Smith as a user, as well as all the other users associated with this computer.
Currently if I just add "user=john.smith" to the search I get no results in my table, I would get results if I removed the greater than 1 requirement, but only for that specific user, I want to see all the other users displayed in the same table.
Any suggestions would be helpful. Thanks!
... View more