topic Re: user changed his password and successfully logged in after password change. How can i get list successful logged in user using search query? in Security https://community.splunk.com/t5/Security/user-changed-his-password-and-successfully-logged-in-after/m-p/376228#M9283 <P>first need to check for password change then successful login with new password</P> Thu, 26 Jul 2018 16:11:45 GMT vin02 2018-07-26T16:11:45Z user changed his password and successfully logged in after password change. How can i get list successful logged in user using search query? https://community.splunk.com/t5/Security/user-changed-his-password-and-successfully-logged-in-after/m-p/376226#M9281 <P>user changed his password and successfully logged in after password change. How can i get list successful logged in user using search query?<BR />after password reset, how can i get failed attempt.</P> Sun, 07 Jun 2020 17:13:44 GMT https://community.splunk.com/t5/Security/user-changed-his-password-and-successfully-logged-in-after/m-p/376226#M9281 vin02 2020-06-07T17:13:44Z Re: user changed his password and successfully logged in after password change. How can i get list successful logged in user using search query? https://community.splunk.com/t5/Security/user-changed-his-password-and-successfully-logged-in-after/m-p/376227#M9282 <P>@vin02,</P> <P>You could get the failed login by using</P> <PRE><CODE>index=_audit action="login attempt" info=failed </CODE></PRE> <P>or even</P> <PRE><CODE>index=_audit action="login attempt" |stats count by info,user </CODE></PRE> Thu, 26 Jul 2018 16:06:47 GMT https://community.splunk.com/t5/Security/user-changed-his-password-and-successfully-logged-in-after/m-p/376227#M9282 renjith_nair 2018-07-26T16:06:47Z Re: user changed his password and successfully logged in after password change. How can i get list successful logged in user using search query? https://community.splunk.com/t5/Security/user-changed-his-password-and-successfully-logged-in-after/m-p/376228#M9283 <P>first need to check for password change then successful login with new password</P> Thu, 26 Jul 2018 16:11:45 GMT https://community.splunk.com/t5/Security/user-changed-his-password-and-successfully-logged-in-after/m-p/376228#M9283 vin02 2018-07-26T16:11:45Z Re: user changed his password and successfully logged in after password change. How can i get list successful logged in user using search query? https://community.splunk.com/t5/Security/user-changed-his-password-and-successfully-logged-in-after/m-p/376229#M9284 <P>Hi @vin02</P> <P>You can find info about password change in,</P> <P>index=_audit user=username "action=password change"</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5451i2EF39FA6B410DEBE/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>&amp; after password change, you can see info about login in</P> <P>index=_audit user=username action="login attempt" info=succeeded</P> <P>Thanks</P> Thu, 26 Jul 2018 16:30:43 GMT https://community.splunk.com/t5/Security/user-changed-his-password-and-successfully-logged-in-after/m-p/376229#M9284 PowerPacked 2018-07-26T16:30:43Z Re: user changed his password and successfully logged in after password change. How can i get list successful logged in user using search query? https://community.splunk.com/t5/Security/user-changed-his-password-and-successfully-logged-in-after/m-p/376230#M9285 <P>@vin02,</P> <P>Sample SPL with the data, you can adjust according to your requirement</P> <PRE><CODE>index=_audit (action="password change" OR action="login attempt")|table _time,user,action,info|sort - _time |streamstats current=f last(action) as next_action,last(info) as next_info by user |eval status=if(action=="password change" AND info="succeeded" AND next_action="login attempt" AND next_info=="succeeded","OK","NOK") |where action=="password change" </CODE></PRE> Thu, 26 Jul 2018 16:46:11 GMT https://community.splunk.com/t5/Security/user-changed-his-password-and-successfully-logged-in-after/m-p/376230#M9285 renjith_nair 2018-07-26T16:46:11Z Re: user changed his password and successfully logged in after password change. How can i get list successful logged in user using search query? https://community.splunk.com/t5/Security/user-changed-his-password-and-successfully-logged-in-after/m-p/376231#M9286 <P>thanks @renjith.nair</P> Fri, 27 Jul 2018 04:04:17 GMT https://community.splunk.com/t5/Security/user-changed-his-password-and-successfully-logged-in-after/m-p/376231#M9286 vin02 2018-07-27T04:04:17Z Re: user changed his password and successfully logged in after password change. How can i get list successful logged in user using search query? https://community.splunk.com/t5/Security/user-changed-his-password-and-successfully-logged-in-after/m-p/376232#M9287 <P>@vin02, if it worked for you, please accept as answer</P> Sun, 29 Jul 2018 01:07:17 GMT https://community.splunk.com/t5/Security/user-changed-his-password-and-successfully-logged-in-after/m-p/376232#M9287 renjith_nair 2018-07-29T01:07:17Z Re: user changed his password and successfully logged in after password change. How can i get list successful logged in user using search query? https://community.splunk.com/t5/Security/user-changed-his-password-and-successfully-logged-in-after/m-p/376233#M9288 <P>last command is correct with just a small correction</P> <P>instead of <BR /> index=_audit user=username "action=password change"<BR /> it should be<BR /> index=_audit user=username action="password change"</P> Wed, 30 Sep 2020 05:26:41 GMT https://community.splunk.com/t5/Security/user-changed-his-password-and-successfully-logged-in-after/m-p/376233#M9288 vinitpathri 2020-09-30T05:26:41Z