Splunk Search

Is someone have any ideas about getting more precise detail on a single user logging in on more than one device to multiple devices in a better perspective?

brian1_tate
Path Finder

I am somewhat baffled by what is returned when this search is executed. I know I can hide the OTHER or NULL values but I get tons of single users, with Login IP and Domain Controllers but the search is so big its truncated. In fact, I can't differentiate which is the Source IP's of the user's devices and the target devices nor do I have any thoughts on how to properly visualize this with a drill down for management because it does't make much sense. I;m truly baffled.

In simplicity, I would like to see INDIVIDUAL USERS that are logged into more than once device and what host()S or IP addresses they are currently logged on too rather than the domain controllers or what the count is. Length of login is fine but the others needs comes first. I know there more be a way and trying to visualize this is a mess. There must be a way to do this and then drill down on that user so we can see who is accessing what. This is the search I have so far.

If anyone has any feedback or suggestions to my query, by all means please do comment because I am totally baffled and need an answer. Thank you all, you guys are the best and I hope to be as good as you some day.

Thx

0 Karma

haley_swarnapat
Path Finder

You should append "| stats dc()" to your search query, and remove users with single device.
Try to append this query to your search:

| stats dc(host) as unique_device_count, last(host) as current_device by Account_Name | SEARCH unique_device_count > 1
| TABLE Account_Name, unique_device_count, current_device

0 Karma

JDukeSplunk
Builder

Yeah, more detail is needed. However, it sounds like you are using timechart which might not be the best for this type of report.

Maybe
..|stats count(logins) as COUNT by logins, sourceip, _time

0 Karma

sundareshr
Legend

Did you mean to include you current search?

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...