https://community.splunk.com/t5/Splunk-Search/Need-last-logon-for-a-user/m-p/528337#M149177 <P>Need to know what was the last time a domain AD account “username” was logged into and from what server/machine please?</P> Fri, 06 Nov 2020 14:47:57 GMT chrodriguez 2020-11-06T14:47:57Z https://community.splunk.com/t5/Splunk-Search/Need-last-logon-for-a-user/m-p/528337#M149177 <P>Need to know what was the last time a domain AD account “username” was logged into and from what server/machine please?</P> Fri, 06 Nov 2020 14:47:57 GMT https://community.splunk.com/t5/Splunk-Search/Need-last-logon-for-a-user/m-p/528337#M149177 chrodriguez 2020-11-06T14:47:57Z https://community.splunk.com/t5/Splunk-Search/Need-last-logon-for-a-user/m-p/528338#M149178 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/228509">@chrodriguez</a>&nbsp;</P><P>Try this:</P><P><SPAN>EventCode=4624 | dedup ComputerName | table ComputerName _time</SPAN></P><P><SPAN><A href="https://community.splunk.com/t5/Getting-Data-In/Windows-Last-Logon/m-p/198547#M39353" target="_self">View solution in original post</A>&nbsp;</SPAN></P><P><SPAN>Let us know if this works for you</SPAN></P><P><SPAN>V/R,<BR />nwuest</SPAN></P> Fri, 06 Nov 2020 15:09:26 GMT https://community.splunk.com/t5/Splunk-Search/Need-last-logon-for-a-user/m-p/528338#M149178 nwuest 2020-11-06T15:09:26Z https://community.splunk.com/t5/Splunk-Search/Need-last-logon-for-a-user/m-p/528343#M149181 <P>That doesn't return anything, I really need to focus on "A User" not just everything. I ran this, and it returned nothing for the account but then when I try against my user account it does return data. The account wmsadmin is indeed an actual user account that is disabled and the "lastLogonTimestamp" has a value or date of 9/20/2011.</P><P>index=wineventlog sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=4634 "wmsadmin")<BR />| eval day=strftime(_time,"%d/%m/%Y")<BR />| stats earliest(_time) AS earliest latest(_time) AS latest by user host day<BR />| eval earliest=strftime(earliest,"%d/%m/%Y %H.%M.%S"), latest=strftime(latest,"%d/%m/%Y %H.%M.%S")</P> Fri, 06 Nov 2020 15:45:39 GMT https://community.splunk.com/t5/Splunk-Search/Need-last-logon-for-a-user/m-p/528343#M149181 chrodriguez 2020-11-06T15:45:39Z https://community.splunk.com/t5/Splunk-Search/Need-last-logon-for-a-user/m-p/528353#M149183 <P>That doesn't return anything, I really need to focus on "A User" not just everything. I ran this, and it returned nothing for the account but then when I try against my user account it does return data. The account wmsadmin is indeed an actual user account that is disabled and the "lastLogonTimestamp" has a value or date of 9/20/2011. index=wineventlog sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=4634 "wmsadmin") | eval day=strftime(_time,"%d/%m/%Y") | stats earliest(_time) AS earliest latest(_time) AS latest by user host day | eval earliest=strftime(earliest,"%d/%m/%Y %H.%M.%S"), latest=strftime(latest,"%d/%m/%Y %H.%M.%S")</P> Fri, 06 Nov 2020 16:52:59 GMT https://community.splunk.com/t5/Splunk-Search/Need-last-logon-for-a-user/m-p/528353#M149183 chrodriguez 2020-11-06T16:52:59Z https://community.splunk.com/t5/Splunk-Search/Need-last-logon-for-a-user/m-p/528354#M149184 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/228509">@chrodriguez</a>,</P><P>So you are specifically looking for the account "wmsadmin", which is <U>disabled</U> to see the last time that it was used to log in?<BR /><BR />Have you been collecting logs in your environment with splunk forwarders since "9/20/2011" the date of the lastLogonTimestamp?</P><UL><LI>If you have had splunk forwarders collecting events for that long, what is your retention policy with frozen buckets?</LI><LI><STRONG>If not</STRONG>, you can try to kickoff an event with 'enabling that account, logging in-and-out with it then disabling the account'.<BR />Then you should see some activity in your searchhead so that search will return some results.</LI></UL><P>Let us know what happens!</P><P>V/R,<BR />nwuest</P><P>&nbsp;</P> Fri, 06 Nov 2020 17:25:07 GMT https://community.splunk.com/t5/Splunk-Search/Need-last-logon-for-a-user/m-p/528354#M149184 nwuest 2020-11-06T17:25:07Z https://community.splunk.com/t5/Splunk-Search/Need-last-logon-for-a-user/m-p/528360#M149187 <P>thanks for the insight, I completely forgot that we have only had splunk introduced since 2016. So thats why its not populating data from 2011.</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 06 Nov 2020 18:17:36 GMT https://community.splunk.com/t5/Splunk-Search/Need-last-logon-for-a-user/m-p/528360#M149187 chrodriguez 2020-11-06T18:17:36Z