Hi Guys,
I'm having a bit of trouble with this. Basically I wish to show who is into this device on a dashboard and I have a great search which takes the last login state and should work. My problem is that the device logs in such a way that the last state is always 'out' and will show users being 'logged out' even if they are in fact 'logged in' as the example below states. Would there possibly be way in which my search could discount the last login state? Or perhaps do this another way, I'm open to any suggestions.<device> (2016-01-15T10:39:04) sessiond[1627]: msg_id="3E00-0004" Management user lheath@<device> from 10.20.84.39 logged out
host = <device> source = udp:514 sourcetype = syslog<device> (2016-01-15T10:39:01) sessiond[1627]: msg_id="3E00-0002" Management user lheath@<device> from 10.20.84.39 logged in
host = <device> source = udp:514 sourcetype = syslog<device> (2016-01-15T10:39:00) sessiond[1627]: msg_id="3E00-0004" Management user lheath@<device> from 10.20.84.39 logged out
host = <device> source = udp:514 sourcetype = syslog<device> (2016-01-15T10:38:59) sessiond[1627]: msg_id="3E00-0002" Management user lheath@<device> from 10.20.84.39 logged in
host = <device> source = udp:514 sourcetype = syslog<device> (2016-01-15T10:38:36) sessiond[1627]: msg_id="3E00-0002" Management user lheath@<device> from 10.20.84.39 logged in
host = <device> source = udp:514 sourcetype = syslog
Any help would be massively appreciated.
Cheers
↧