Forum Discussion
log search showing logged on users
Hi all.
I'm not sure if this is the right place to ask, but here goes.
I have been asked to make a dashboard showing the count of users currently logged in to our local ad.
I have the data in oms, and i have made this query so fare:
SecurityEvent
| where EventID == 4624
| where ( LogonTypeName == "3 - Network" )
| where ( Computer == "ad server" )
| where AccountType == "User"
| summarize count() by TargetAccount
But i'm kind of stuck here.
I can't get it to show a number, i have tried different methods, but not with the result i was hoping for.
Hope for some input or pointers to what i can do.
Best regards
Jan
Hi Jan,
Is this what you are looking for:
SecurityEvent
| where EventID == 4624
| where ( LogonTypeName == "3 - Network" )
| where ( Computer == "ad server" )
| where AccountType == "User"
| summarize dcount(TargetAccount)?
It would show you total number of users that logged on to the server but not the number of users that are currently logged on.
To do this, you need to left Join the list of users on the 4624 records with the list of users that have 4634 or 4647 records. Those that doesn't have a match are still logged on.
Hope this helps,
Meir :->
2 Replies
- Meir_Mendelovich
Microsoft
Hi Jan,
Is this what you are looking for:
SecurityEvent
| where EventID == 4624
| where ( LogonTypeName == "3 - Network" )
| where ( Computer == "ad server" )
| where AccountType == "User"
| summarize dcount(TargetAccount)?
It would show you total number of users that logged on to the server but not the number of users that are currently logged on.
To do this, you need to left Join the list of users on the 4624 records with the list of users that have 4634 or 4647 records. Those that doesn't have a match are still logged on.
Hope this helps,
Meir :->
That help, thank you, i completly missed the dcount parameter.
Now i just have to get the joins to work.
Ragards
Jan Dam
