![]() | rex "User:(?\w+) The user is authenticated and logged in."īut this does not return any data. ![]() "The user is authenticated and logged in." I later tried the following: index="myIndex" source="mySource2" Also, I did not fetch the name from the second search. "User:myUserID The user is authenticated and logged in."īut I found out that I the second search, returns data to the first search. The purpose of the table is to show the user id's (found in mySource1) and show the latest login event (found in mySource2) so that you can tell when each user last logged in. Where USER is column 1 and LATEST column 2. ![]() Walt, 13:49:57,654 User:walt The user is authenticated and logged in Skylar, 13:49:57,654 User:skylar The user is authenticated and logged in. Hank, 13:49:57,654 User:hank The user is authenticated and logged in. In Splunk I need a dashboard, with a statisticstable, looking like this: USER, LATEST 13:49:57,654 User:hank The user is authenticated and logged in. 13:49:57,654 User:walt The user is authenticated and logged in. 13:49:57,654 User:skylar The user is authenticated and logged in. MySource2 example 13:49:57,654 User:hank The user is authenticated and logged in. ![]() 17:00:01 - Naam van gebruiker: walt - Rol van gebruiker: administrator 17:00:01 - Naam van gebruiker: skylar - Rol van gebruiker: administrator 17:00:01 - Naam van gebruiker: walt - Rol van gebruiker: operator 17:00:01 - Naam van gebruiker: skylar - Rol van gebruiker: operator MySource1 example 17:00:01 - Naam van gebruiker: hank - Rol van gebruiker: operator ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |