https://community.splunk.com/t5/Splunk-Search/Query-user-login-over-a-period-of-time/m-p/693639#M235982 <P>I tailored the query to the appropriate fields and viola it worked.</P><P>&nbsp;</P><P>I appreciate your efforts and thank you for your time.</P> Wed, 17 Jul 2024 20:14:42 GMT Skadrir 2024-07-17T20:14:42Z https://community.splunk.com/t5/Splunk-Search/Query-user-login-over-a-period-of-time/m-p/693610#M235973 <P>I am trying to query our windows and linux indexes to verify how many times a user has logged in over a period of time.</P><P>&nbsp;</P><P>Currently, I only care about the last 7 days. I've tried to run some queries, but it's not very fruitful.</P><P>&nbsp;</P><P>Can I gain some assistance with generating a query for determining the number of logins over a period of time, please?</P><P>&nbsp;</P><P>Thank you.</P> Wed, 17 Jul 2024 13:00:55 GMT https://community.splunk.com/t5/Splunk-Search/Query-user-login-over-a-period-of-time/m-p/693610#M235973 Skadrir 2024-07-17T13:00:55Z https://community.splunk.com/t5/Splunk-Search/Query-user-login-over-a-period-of-time/m-p/693626#M235976 <P>This is a Splunk forum. &nbsp;No one here knows what your data source looks like. To ask an answerable data analytics question, follow these golden rules; nay, call them the four commandments:</P><UL><LI>Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search that volunteers here do not have to look at.</LI><LI>Illustrate the desired output from illustrated data.</LI><LI>Explain the logic between illustrated data and desired output&nbsp;<EM>without</EM>&nbsp;SPL.</LI><LI>If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different&nbsp;<U>to you</U>&nbsp;if that is not painfully obvious.</LI></UL> Wed, 17 Jul 2024 16:12:48 GMT https://community.splunk.com/t5/Splunk-Search/Query-user-login-over-a-period-of-time/m-p/693626#M235976 yuanliu 2024-07-17T16:12:48Z https://community.splunk.com/t5/Splunk-Search/Query-user-login-over-a-period-of-time/m-p/693629#M235977 <P>Effectively I want to comb through the windows event logs to determine logon dates and times for a specific user(s) and output those entries into a table with username, date and time. We have a windows index and we want to query the last seven days and the number of logins for a given user.</P><P>I would imagine it'd be fairly simple to do, I just don't SPL. This is why I engaged the brain trust online in this forum. I don't splunk as a day job, so I'm not familiar with the intricacies with SPL.</P><P>In short, give all entries from windows security logs for the last seven days from the windows index for a specific user with event ID 4624.</P><P>Thank you.</P> Wed, 17 Jul 2024 16:47:25 GMT https://community.splunk.com/t5/Splunk-Search/Query-user-login-over-a-period-of-time/m-p/693629#M235977 Skadrir 2024-07-17T16:47:25Z https://community.splunk.com/t5/Splunk-Search/Query-user-login-over-a-period-of-time/m-p/693634#M235979 <P>Is something like this what you are looking for? Set the time range picker to your desired range.</P><LI-CODE lang="markup">index=windows EventCode=4624 Account_Name IN ("Larry","Curly","Moe") | eval Logon_Account_Name=mvindex(Account_Name, 1) | table _time, ComputerName, Logon_Account_Name | sort _time</LI-CODE><P>&nbsp;</P> Wed, 17 Jul 2024 18:06:42 GMT https://community.splunk.com/t5/Splunk-Search/Query-user-login-over-a-period-of-time/m-p/693634#M235979 fredclown 2024-07-17T18:06:42Z https://community.splunk.com/t5/Splunk-Search/Query-user-login-over-a-period-of-time/m-p/693639#M235982 <P>I tailored the query to the appropriate fields and viola it worked.</P><P>&nbsp;</P><P>I appreciate your efforts and thank you for your time.</P> Wed, 17 Jul 2024 20:14:42 GMT https://community.splunk.com/t5/Splunk-Search/Query-user-login-over-a-period-of-time/m-p/693639#M235982 Skadrir 2024-07-17T20:14:42Z