topic Re: User last login date in Splunk Search

User last login date

sanju005ind — Wed, 28 Jul 2010 21:35:01 GMT

I have a about 250 users and I would like to to know when was the last time each of them have logged in. Is there a query that I can use.

Re: User last login date

ftk — Wed, 28 Jul 2010 21:47:07 GMT

Can you elaborate a bit please? Are they splunk users and you want to look at splunk's audit logs or are they users in a different system? If they are a different system, what system, how do you get the logs, can you provide sample data?

You'll get a better answer the more detail you provide.

Re: User last login date

sanju005ind — Wed, 28 Jul 2010 21:48:55 GMT

They are splunk users. I would like to know when each user last logged in Splunk.

Re: User last login date

wollinet — Wed, 28 Jul 2010 22:36:49 GMT

Try

index=_audit action="login attempt" | stats max(timestamp) by user

Re: User last login date

sanju005ind — Wed, 28 Jul 2010 22:54:39 GMT

That works! Thanks a lot.

Re: User last login date

stanwin — Tue, 14 Jul 2015 10:37:44 GMT

action="login attempt" is not logged for 6.2.2 it seems..

works for 6.1.4 Build 233537

Re: User last login date

marcospmr — Fri, 11 Mar 2016 19:54:54 GMT

It works ok for 6.3.

Re: User last login date

chrisitanmoleck — Mon, 21 Aug 2017 06:53:25 GMT

The answer of wollinet works only for the current year, because the timestamp is mm-dd-yy.
So if you did login in December 2016 and January 2017, the last login will be December 2016.

Is it possible to modify the query that the order is yy-mm-dd?

Re: User last login date

bjoernhansen — Tue, 07 Nov 2017 10:58:11 GMT

Should be like this:
iindex=_audit action="login attempt" | stats latest(user) by user

It should actually not matter what you put inside the latest()...