SOLVED

log search showing logged on users

Copper Contributor

Hi all.

 

I'm not sure if this is the right place to ask, but here goes.

 

I have been asked to make a dashboard showing the count of users currently logged in to our local ad.

 

I have the data in oms, and i have made this query so fare:

 

SecurityEvent

| where EventID == 4624
| where ( LogonTypeName == "3 - Network" )
| where ( Computer == "ad server" )
| where AccountType == "User"
| summarize count() by TargetAccount

 

But i'm kind of stuck here.

I can't get it to show a number, i have tried different methods, but not with the result i was hoping for.

 

Hope for some input or pointers to what i can do.

 

Best regards

Jan

 

2 Replies
best response confirmed by Jan Løbner Dam (Copper Contributor)
Solution

Hi Jan,

 

 

Is this what you are looking for:

SecurityEvent

| where EventID == 4624
| where ( LogonTypeName == "3 - Network" )
| where ( Computer == "ad server" )
| where AccountType == "User"
| summarize dcount(TargetAccount)

 

?

 

It would show you total number of users that logged on to the server but not the number of users that are currently logged on.

To do this, you need to left Join the list of users on the 4624 records with the list of users that have 4634 or 4647 records. Those that doesn't have a match are still logged on.

 

Hope this helps,

Meir :>

That help, thank you, i completly missed the dcount parameter.

 

Now i just have to get the joins to work.

 

Ragards

 

Jan Dam

1 best response

Accepted Solutions
best response confirmed by Jan Løbner Dam (Copper Contributor)
Solution

Hi Jan,

 

 

Is this what you are looking for:

SecurityEvent

| where EventID == 4624
| where ( LogonTypeName == "3 - Network" )
| where ( Computer == "ad server" )
| where AccountType == "User"
| summarize dcount(TargetAccount)

 

?

 

It would show you total number of users that logged on to the server but not the number of users that are currently logged on.

To do this, you need to left Join the list of users on the 4624 records with the list of users that have 4634 or 4647 records. Those that doesn't have a match are still logged on.

 

Hope this helps,

Meir :>

View solution in original post