Hi,

The code is like

index=main host=server10 (EventCode=4624 OR  EventCode=4634) Logon_Type=3 NOT user="*$" NOT user "ANONYMOUS LOGON"

| dedup user | where NOT MsgID==AUT22673 | eval LoginTime=_time | table user LoginTime

The output will list active RDP user.  No idea how to fix the rest of it, either

1: If number of user == 0, then print "No Remote desktop user"

2: Or put number of user into a Single Value, Radial Gauge (not username)

Sounds so easy but I cannot figure out how to fix it.  Too little Splunk experience.

Rgds

Geir