Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Users logged into specific workstation at a given time

adayton20
Contributor
‎05-15-2014 08:27 AM

Hello,

I am new to Splunk and was curious as to if there is a way to search specifically what user was logged into a machine at a given time. We had an event where someone plugged in a USB device into a desktop. We have the host name, and the time of the event, but want to know if there is a search where the values can be substituted in the future for events like this. The Splunk alert does not specify the user in the alert. I can display account names on the computer during a given time frame using Computername | top limit=20 Account_Name, but that lists too many users and does not display the one logged in during the specified time frame.

Thank you in advance for the help!

Tags (1)
0 Karma
Reply

adayton20
Contributor
‎08-06-2014 04:52 AM

I managed to compile a search and make a panel with the information I was looking for. I currently use this to determine who was logged into a machine and change the time respectively. Thank you for the help. Format is in XML.

<form> <label>Find Users on Host</label> <description>Searches for active user sessions on a specific host and sorts by date and time.</description> <fieldset submitButton="true" autoRun="true"> <input type="text" token="host" searchWhenChanged="true"> <label>Host</label> </input> </fieldset> <html> Test </html> <row> <panel> <table> <title>Users</title> <searchString>index=windows Logon_Type=* user!=$host$* user!=SYSTEM* user!=sse* user!=SOFTGRID* user!=399* user!=KMS* user!=OCSP* host=$host$ | eval users=lower(user)| table _time, host, Logon_Type, users | sort _time | dedup _time</searchString> <earliestTime>-72hr</earliestTime> <latestTime>now</latestTime> <option name="wrap">true</option> <option name="rowNumbers">false</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="count">10</option> </table> </panel> </row> </form>

0 Karma
Reply

lguinn2
Legend
‎05-16-2014 04:11 PM

So here's the deal - you are searching a summary index. This is data that Spunk has summarized from another source.
If you look at the search named usb_device_activity, you will be able to find the original source of this data.

It is possible that the original data source has the information that you want. The summary index does not.

You say you were "were able to do this by searching for the host name in another system" - is this data stored in Splunk? Is there any data in Splunk that shows logins? If yes, Splunk can correlate the data. If no, then there is no way that a Splunk search can solve this problem.

Based on your answer, here is a revised prototype for a solution, which uses the summary index data

sourcetype=loginstuff "userlogincriteria"
| join computerId  
    [search index=cnd_summary search_name="usb_device_activity" Product!=Blackberry*  Product=CRUZER_EDGE 
              | eval computerId=orig_host |  fields computerId  info_min_time info_max_time ]
| where _time<=info_max_time
| rename _time as User_Logged_In info_min_time as Earliest_USB_Use info_max_time as Latest_USB_Use
| table user Product computerId User_Logged_In Earliest_USB_Use Latest_USB_Use
| fieldformat User_Logged_In=strftime(User_Logged_In,"%x %X")
| fieldformat Earliest_USB_Use=strftime(Earliest_USB_Use,"%x %X")
| fieldformat Latest_USB_Use=strftime(Latest_USB_Use,"%x %X")
0 Karma
Reply

adayton20
Contributor
‎05-15-2014 09:12 AM

Absolutely.

This is the original search: index=cnd_summary search_name="usb_device_activity" Product!=Blackberry* Product=CRUZER_EDGE

This search brought about the report:

05/15/2014 08:15:00 -0400, search_name=usb_device_activity, search_now=1400157900.000, info_min_time=1400156100.000, info_max_time=1400157000.000, info_search_time=1400157902.136, Product=CRUZER_EDGE, SN=SERIALNUMBER, Time="05/15/2014 08:26:59 AM", Vendor=SANDISK, orig_host=COMPUTERNAME, psrsvd_gc=1, psrsvd_v=1, report="usb_device_activity"

I've taken out the computer name and serial number.

When we received this data, we were told to find out which user was logged on during the time that device was plugged in. We were able to do this by searching for the host name in another system and find the user currently logged in, but we wanted to be able to either A.) find the user logged in at the event time through Splunk, or B.) have Splunk include the account name.

0 Karma
Reply

lguinn2
Legend
‎05-15-2014 08:43 AM

If you gave more information (like the original search and some info about the data), the community could give a much clearer answer. But let's start with this

First, you have a search for a particular event: a USB device was plugged in. I assume that this event returns an identifier for the desktop. Let's assume you could do a search like this to find those events:

sourcetype=windowsstuff "USB plugged in" | table _time computerId

Second, you need to know who was logged into a particular computerId at a particular time:

sourcetype=loginstuff computerId="theidfromthelastsearch" | table _time userId computerId

You can put this altogether:

sourcetype=loginstuff "userlogincriteria"
| join computerId usetime=true earlier=false overwrite=false 
    [search sourcetype=windowsstuff "USB plugged in" | eval USBPluginTime=_time ]
| table

This may not be exactly what you need, but hopefully it will get you started

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...