I am trying to display a table of users usage for each individual computer that they have used. I can get the result I want when I search for an individual user using the search below:
index=windows_os user=User3 tag::host=INC000001498678 (EventCode=4624 OR EventCode=4647)
|transaction host startswith="4624" endswith="4647"
|eval "Time" = round(duration/60,0)
|stats sum(Time) count by host
|table host, sum(Time)
RESULT:
host sum(Time)
MU00043103 14
MU00042261 31
What I want to do is set user to * or not specify a user to view all users. I have tried the following:
index=windows_os tag::host=INC000001498678 (EventCode=4624 OR EventCode=4647) user!=SYSTEM user!="ANONYMOUS LOGON" user!=MU*$
| transaction host startswith="4624" endswith="4647"
| table user, host, duration
| eval "Time" = round(duration/60,2)
| table user, host, "Time"
| sort user
RESULTS:
user host Time
User1 MU00041577 105
User2 MU00041691 10
User3 MU00043103 9
User3 MU00042261 22
User3 MU00043103 5
User3 MU00042261 9
User 4 MU00041691 8
User5 MU00081455 3
User5 MU00081455 3
User5 MU00081455 4
User5 MU00081455 3
However, when I use the search above the events are not grouping each user on each computer. The result I would like to see is:
RESULTS:
user host Time
User1 MU00041577 105
User2 MU00041691 10
User3 MU00043103 14
User3 MU00042261 31
User4 MU00041691 8
User5 MU00081455 13
Any help would be much appreciated.
... View more