Hi,
The code is like
index=main host=server10 (EventCode=4624 OR EventCode=4634) Logon_Type=3 NOT user="*$" NOT user "ANONYMOUS LOGON"
| dedup user | where NOT MsgID==AUT22673 | eval LoginTime=_time | table user LoginTime
The output will list active RDP user. No idea how to fix the rest of it, either
1: If number of user == 0, then print "No Remote desktop user"
2: Or put number of user into a Single Value, Radial Gauge (not username)
Sounds so easy but I cannot figure out how to fix it. Too little Splunk experience.
Rgds
Geir
Thanks
Do you just need a count of (distinct) users?
| stats dc(user) as users