Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find an active user session on different machines at the same time?

guimilare
Communicator
‎03-09-2017 07:21 AM

Hello Splunkers.

Using the wineventlog I can tell when a user logged on and off based on EventCodes 4624 and 4634 and the logon id:

Logon:

03/09/2017 11:54:51 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=xxxxxxxxxx
TaskCategory=Logon
OpCode=Info
RecordNumber=xxxxx
Keywords=Audit Success
Message=An account was successfully logged on.
...
New Logon:
Security ID:        XXX\visit
Account Name:       visit
Account Domain:     XXX
Logon ID:       0xA2207D111

Logoff

03/09/2017 12:11:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=xxxxxx
TaskCategory=Logoff
OpCode=Info
RecordNumber=xxxxxx
Keywords=Audit Success
Message=An account was logged off.

Subject:
    Security ID:        XXX\visit
    Account Name:       visit
    Account Domain:     XXX
    Logon ID:       0xA2207D111

However, I need to know when exists the same Account Name using two machines, I mean, when there are two sessions active at the same time.

Any ideas how can I do this?

Regards,
GMA

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-09-2017 11:33 AM

Try this:

... | streamstats current=f last(EventCode) AS nextEventCode BY user
| reverse
| streamstats current=f last(EventCode) AS prevEventCode BY user
| reverse
| search (EventCode=4624 AND prevEventCode=4624) OR (EventCode=4624 AND nextEventCode=4624)

This shows you any time any user has 2 logins (4624) without a logout between them (4634). This is a HUGE shortcut.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-09-2017 11:33 AM

Try this:

... | streamstats current=f last(EventCode) AS nextEventCode BY user
| reverse
| streamstats current=f last(EventCode) AS prevEventCode BY user
| reverse
| search (EventCode=4624 AND prevEventCode=4624) OR (EventCode=4624 AND nextEventCode=4624)

This shows you any time any user has 2 logins (4624) without a logout between them (4634). This is a HUGE shortcut.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-09-2017 07:28 AM

You need the concurrency command:

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Concurrency

0 Karma
Reply
Solved! Jump to solution

guimilare
Communicator
‎03-09-2017 09:12 AM

I tried this:

index="myindex_wineventlog" user=visit (EventCode=4624 OR EventCode=4634) | rex field=_raw .*(?<tr_id>0x\w{9}) | transaction tr_id | concurrency duration=duration

However, this search brings the durations of the sessions, and not the sessions that overlaps...

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...