https://community.splunk.com/t5/Splunk-Search/How-to-search-for-who-and-when-accessed-the-server/m-p/357168#M105663 <P>marked code. Also, in general, you should always put the index name in your code.</P> Thu, 10 Aug 2017 13:52:15 GMT DalJeanis 2017-08-10T13:52:15Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-who-and-when-accessed-the-server/m-p/357165#M105660 <P>Hi.</P> <P>I would like to search who (user) and when accessed the server (server_name)</P> <P>I make a search like this but I don't get the right results.</P> <PRE><CODE>dest="server_name" user="*" src="*" | table _time user src dest action </CODE></PRE> <P>Can please somebody help me.<BR /> Thanks.</P> Thu, 10 Aug 2017 10:19:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-who-and-when-accessed-the-server/m-p/357165#M105660 5er 2017-08-10T10:19:10Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-who-and-when-accessed-the-server/m-p/357166#M105661 <P>What results are you getting and what do you expect to get?</P> Thu, 10 Aug 2017 12:49:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-who-and-when-accessed-the-server/m-p/357166#M105661 richgalloway 2017-08-10T12:49:49Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-who-and-when-accessed-the-server/m-p/357167#M105662 <P>I get:</P> <P>_time user src dest action<BR /> 2017-08-09 14:36:04 n/a server-02 server-01 blocked<BR /> 2017-08-09 11:41:09 n/a server-02 server-01 blocked<BR /> 2017-08-09 09:55:21 n/a server-02 server-01 blocked</P> <P>I'm supposed to get the users(usernames) who connect to server-01 (destination).<BR /> Am I missing something?</P> Thu, 10 Aug 2017 13:04:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-who-and-when-accessed-the-server/m-p/357167#M105662 5er 2017-08-10T13:04:58Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-who-and-when-accessed-the-server/m-p/357168#M105663 <P>marked code. Also, in general, you should always put the index name in your code.</P> Thu, 10 Aug 2017 13:52:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-who-and-when-accessed-the-server/m-p/357168#M105663 DalJeanis 2017-08-10T13:52:15Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-who-and-when-accessed-the-server/m-p/357169#M105664 <P>This depend on whether the server is Windows, unix, or something else.</P> <P>To research this, use your own userid and the name of a server that you normally log on to, run a verbose search like this...</P> <PRE><CODE>index=* "myserver" "myuserid" </CODE></PRE> <P>Look at the results you get for the data and time you last logged on. </P> <P>If it's Windows, you will be looking at an event 4624 (or some older ones in the 500 series).</P> <P>If it's Unix, you will probably be looking at a PAM accepted record or something similar. </P> <P>If it's an IBM mainframe, it will be a RACF record. </P> <P>Look at the fields that are available on that record. Maybe you've misspelled them, or mis-capitalized them, or something. Maybe they just aren't there.</P> <P>If that isn't enough to solve your problem, then update your question details showing the form of the record, with any confidential information masked. Change ip to 1.2.3.4 or 5.6.7.8, host name to myhost.mycompany.com, userid to myuserid... stuff like that. </P> <P>We'll get you through this.</P> Thu, 10 Aug 2017 15:19:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-who-and-when-accessed-the-server/m-p/357169#M105664 DalJeanis 2017-08-10T15:19:18Z