topic Re: Windows Last Logon against a .csv file in Getting Data In

Windows Last Logon against a .csv file

WPDITSec — Tue, 29 Sep 2020 16:39:00 GMT

I am trying to search for a list of users Last Logon to Windows through SPLUNK... for an individual user I use the search

USERNAME logon eventtype=windows_logon_success |table User_time

However, I am trying to do this for around 300 users.. is there a way to do this on bulk by importing a lookup .csv file and getting the search to look at the username & export a new list with the last logon date populated?

Any help would be great

Thanks

Re: Windows Last Logon against a .csv file

gcusello — Wed, 08 Nov 2017 11:29:46 GMT

Hi WPDITSec,
you have to create a lookup with the user_names list, possibly using as column name the same name of the field in your logs (e.g. USERNAME ).
After you could run a search like this:

index=wineventlog eventtype=windows_logon_success [ | inputlookup user_name.csv | fields USERNAME ]
| stats latest(_time) AS last_logon_time BY USERNAME

you have only to define the time period of your search (e.g. last week)

Put attention to the case of USERNAME: if you have the dubt that there could be differences between upper and lower case, you have to modify the above search (it's slower!)

index=wineventlog eventtype=windows_logon_success 
| eval USERNAME=upper(USERNAME)
[ | inputlookup user_name.csv | eval USERNAME=upper(USERNAME) | fields USERNAME ]
| stats latest(_time) AS last_logon_time BY USERNAME

Bye.
Giuseppe

Re: Windows Last Logon against a .csv file

jkat54 — Wed, 08 Nov 2017 11:55:37 GMT

Why not do it like this:

 logon eventtype=windows_logon_success User_time=* |stats latest(User_time) by userName

Where userName is whatever the userName field is in your data. No need for a lookup if I’m following your question correctly.