Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is someone have any ideas about getting more precise detail on a single user logging in on more than one device to multiple devices in a better perspective?

brian1_tate
Path Finder
‎09-07-2016 01:58 PM

I am somewhat baffled by what is returned when this search is executed. I know I can hide the OTHER or NULL values but I get tons of single users, with Login IP and Domain Controllers but the search is so big its truncated. In fact, I can't differentiate which is the Source IP's of the user's devices and the target devices nor do I have any thoughts on how to properly visualize this with a drill down for management because it does't make much sense. I;m truly baffled.

In simplicity, I would like to see INDIVIDUAL USERS that are logged into more than once device and what host()S or IP addresses they are currently logged on too rather than the domain controllers or what the count is. Length of login is fine but the others needs comes first. I know there more be a way and trying to visualize this is a mess. There must be a way to do this and then drill down on that user so we can see who is accessing what. This is the search I have so far.

If anyone has any feedback or suggestions to my query, by all means please do comment because I am totally baffled and need an answer. Thank you all, you guys are the best and I hope to be as good as you some day.

Thx

0 Karma
Reply

haley_swarnapat
Path Finder
‎09-09-2016 03:27 AM

You should append "| stats dc()" to your search query, and remove users with single device.
Try to append this query to your search:

| stats dc(host) as unique_device_count, last(host) as current_device by Account_Name | SEARCH unique_device_count > 1
| TABLE Account_Name, unique_device_count, current_device

0 Karma
Reply

JDukeSplunk
Builder
‎09-08-2016 11:33 PM

Yeah, more detail is needed. However, it sounds like you are using timechart which might not be the best for this type of report.

Maybe
..|stats count(logins) as COUNT by logins, sourceip, _time

0 Karma
Reply

sundareshr
Legend
‎09-07-2016 02:25 PM

Did you mean to include you current search?

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...