Splunk search for List of linux user accounts
Copy
sourcetype=linux_secure NOT "invalid user"| rex "\suser\s(?<User>[^\s]+)\s" | stats count by User
This search will provide a count of events reported by linux systems, separated out by user. This search will not take into consideration the host that reported the data, it is based purely on username.
0 comments
[0]
[0]
[0]
[0]
Sign in or Register to submit a comment