Splunk search for Most active linux users
Copy
sourcetype=linux_secure NOT "invalid user" | rex "\suser\s(?<User>[^\s]+)\s" | top User showperc=f
This search will provide a list of the most active users within all linux systems that are reporting into Splunk. This search will not distinguish between linux hosts and will only show activity from valid users.
0 comments
[0]
[0]
[0]
[0]
Sign in or Register to submit a comment