The following splunk query example will return the top 10 most active users in a given time range sourcetype=linux_secure | rex “\suser[^’](?<User>\S+\w+)” | top limit=10 User
Count of Unique Users in a Linux Environment
This splunk query will return the total number of unique users in a given time range. sourcetype=linux_secure | rex “\suser[^’](?<User>\S+\w+)” | stats dc(User)
List of Users in a Linux Environment
The following splunk query will ouput a list of user accounts appearing in linux_secure audit logs: sourcetype=linux_secure | rex “\suser[^’](?<User>\S+\w+)” | stats count by User