Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search user concurrent logins on unique hosts?

jayygee3
Engager
‎01-12-2023 03:41 PM

I'm hoping to get some help or direction. I have seen a few different forum posts where the search pulled how many concurrent sessions were happening at a time. (General count of sessions occurring at a given time) I somewhat get that done with this search:

index=main EventCode=4624 
| eval Account=mvindex(Account_Name,1)
| eventstats dc(host) AS Logins by Account
| where Logins > 1
| timechart count(Logins) BY Account

I am hoping to pivot into a search with more detail such as Account login session duration and any overlap in sessions from unique hosts. The goal is to pinpoint potentially shared credentials for further investigation. I have played with transaction a bit, but can't seem to get it to work the way I need and have read many posts advising against this command due to resource usage.  Any tips for a Splunk Newb?

Labels (4)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-12-2023 04:15 PM

Session 'duration' is a fun one, as you need to be able to determine what constitutes the 'end' of the session.

The advice round 'transaction' is good - avoid where possible, it's rarely necessary and almost never the solution for looking for long lived things.

streamstats and stats are generally what you can use. 

Here's a recent post on doing something similar, which gives examples of how you can build things

https://community.splunk.com/t5/Splunk-Search/How-to-calculate-session-times-from-large-data-set/m-p...

 

 

Reply

jayygee3
Engager
‎01-12-2023 04:29 PM

@bowesmana thanks! I read through the thread and I think I am starting to get a better idea of how to approach my situation. Appreciate the quick response!

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...