https://community.splunk.com/t5/Splunk-Search/Pulling-back-data-from-users-login-in-using-SAML/m-p/744835#M241327 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/267795">@CMAzurdia</a>&nbsp;</P><P>My apologies, I thought you were referring to people logging in to Splunk using SAML.</P><P>Ultimately this depends on what the data looks like when you receive it in Splunk? Its worth starting by identifying key fields in your data and then filtering down until you just get the events you are interested in - from here you can work through your usecase/requirements.</P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Wed, 23 Apr 2025 21:25:55 GMT livehybrid 2025-04-23T21:25:55Z https://community.splunk.com/t5/Splunk-Search/Pulling-back-data-from-users-login-in-using-SAML/m-p/744798#M241317 <P>Hello Splunk team,</P><P>I need a search query that can pull data back of successful and unsuccessful login attempts of users login into a server using SAML. I also need to create a dashboard of the results. Any additional information needed, please let me know.</P><P>Do I need to extract a field of all the users using SAML?</P><P>v/r</P><P>cmazurdia</P> Wed, 23 Apr 2025 15:23:49 GMT https://community.splunk.com/t5/Splunk-Search/Pulling-back-data-from-users-login-in-using-SAML/m-p/744798#M241317 CMAzurdia 2025-04-23T15:23:49Z https://community.splunk.com/t5/Splunk-Search/Pulling-back-data-from-users-login-in-using-SAML/m-p/744800#M241318 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/267795">@CMAzurdia</a>&nbsp;</P><P>Typically success/failed login attempts are recorded by the Identity Provider (IdP) rather than Splunk, however you can see successful logins to Splunk from SAML users with the following query:</P><LI-CODE lang="markup">index=_internal method=POST uri=/saml/acs | table _time user clientip</LI-CODE><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Wed, 23 Apr 2025 15:42:08 GMT https://community.splunk.com/t5/Splunk-Search/Pulling-back-data-from-users-login-in-using-SAML/m-p/744800#M241318 livehybrid 2025-04-23T15:42:08Z https://community.splunk.com/t5/Splunk-Search/Pulling-back-data-from-users-login-in-using-SAML/m-p/744801#M241319 <P>The query did not error, but also 0 events. Any other way? I have created a lookup table.</P><P>&nbsp;</P> Wed, 23 Apr 2025 16:16:48 GMT https://community.splunk.com/t5/Splunk-Search/Pulling-back-data-from-users-login-in-using-SAML/m-p/744801#M241319 CMAzurdia 2025-04-23T16:16:48Z https://community.splunk.com/t5/Splunk-Search/Pulling-back-data-from-users-login-in-using-SAML/m-p/744806#M241320 <P>I have a server pushing audit logs data to a syslog, to login to the server you need SAML. My question is: how do I pull data of successful logins and unsuccessful logins of those SAML users in Splunk?</P><P>&nbsp;</P><P>Thank you.</P> Wed, 23 Apr 2025 17:33:34 GMT https://community.splunk.com/t5/Splunk-Search/Pulling-back-data-from-users-login-in-using-SAML/m-p/744806#M241320 CMAzurdia 2025-04-23T17:33:34Z https://community.splunk.com/t5/Splunk-Search/Pulling-back-data-from-users-login-in-using-SAML/m-p/744835#M241327 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/267795">@CMAzurdia</a>&nbsp;</P><P>My apologies, I thought you were referring to people logging in to Splunk using SAML.</P><P>Ultimately this depends on what the data looks like when you receive it in Splunk? Its worth starting by identifying key fields in your data and then filtering down until you just get the events you are interested in - from here you can work through your usecase/requirements.</P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Wed, 23 Apr 2025 21:25:55 GMT https://community.splunk.com/t5/Splunk-Search/Pulling-back-data-from-users-login-in-using-SAML/m-p/744835#M241327 livehybrid 2025-04-23T21:25:55Z