topic Re: How to search a list of users who have tried to log in often or never logged in? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-search-a-list-of-users-who-have-tried-to-log-in-often-or/m-p/283810#M85770 <P>I would suggest creating a field for users who logged in then create another field for users who logged out then do a <CODE>...| stats count by</CODE></P> <P>To make the fields you will need to find a pattern then write a regular expression to capture this.. Post some a sample and I'll help write your regular expression </P> Wed, 17 Feb 2016 19:51:15 GMT skoelpin 2016-02-17T19:51:15Z How to search a list of users who have tried to log in often or never logged in? https://community.splunk.com/t5/Splunk-Search/How-to-search-a-list-of-users-who-have-tried-to-log-in-often-or/m-p/283809#M85769 <P>Hi,</P> <P>Is there any search to get a list of users who have tried to log in often or never logged in?</P> <P>Thanks,</P> <P>V</P> Wed, 17 Feb 2016 17:48:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-a-list-of-users-who-have-tried-to-log-in-often-or/m-p/283809#M85769 vinodsinha 2016-02-17T17:48:48Z Re: How to search a list of users who have tried to log in often or never logged in? https://community.splunk.com/t5/Splunk-Search/How-to-search-a-list-of-users-who-have-tried-to-log-in-often-or/m-p/283810#M85770 <P>I would suggest creating a field for users who logged in then create another field for users who logged out then do a <CODE>...| stats count by</CODE></P> <P>To make the fields you will need to find a pattern then write a regular expression to capture this.. Post some a sample and I'll help write your regular expression </P> Wed, 17 Feb 2016 19:51:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-a-list-of-users-who-have-tried-to-log-in-often-or/m-p/283810#M85770 skoelpin 2016-02-17T19:51:15Z Re: How to search a list of users who have tried to log in often or never logged in? https://community.splunk.com/t5/Splunk-Search/How-to-search-a-list-of-users-who-have-tried-to-log-in-often-or/m-p/283811#M85771 <P>can you give me regular exp to run the query?</P> Thu, 18 Feb 2016 07:01:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-a-list-of-users-who-have-tried-to-log-in-often-or/m-p/283811#M85771 vinodsinha 2016-02-18T07:01:19Z Re: How to search a list of users who have tried to log in often or never logged in? https://community.splunk.com/t5/Splunk-Search/How-to-search-a-list-of-users-who-have-tried-to-log-in-often-or/m-p/283812#M85772 <P>If you provide a data sample.. </P> Thu, 18 Feb 2016 13:46:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-a-list-of-users-who-have-tried-to-log-in-often-or/m-p/283812#M85772 skoelpin 2016-02-18T13:46:25Z Re: How to search a list of users who have tried to log in often or never logged in? https://community.splunk.com/t5/Splunk-Search/How-to-search-a-list-of-users-who-have-tried-to-log-in-often-or/m-p/283813#M85773 <P>something like this :-<BR /> index=_internal sourcetype=splunk_web_access | table user | dedup user</P> Tue, 29 Sep 2020 08:50:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-a-list-of-users-who-have-tried-to-log-in-often-or/m-p/283813#M85773 vinodsinha 2020-09-29T08:50:31Z Re: How to search a list of users who have tried to log in often or never logged in? https://community.splunk.com/t5/Splunk-Search/How-to-search-a-list-of-users-who-have-tried-to-log-in-often-or/m-p/283814#M85774 <P>similar like this query but without csv option:- </P> <P>| inputcsv allusers.csv | search NOT [ search index=_internal (sourcetype=splunk_web_access OR sourcetype=splunkd_access) | fields user | dedup user ]</P> Tue, 29 Sep 2020 08:50:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-a-list-of-users-who-have-tried-to-log-in-often-or/m-p/283814#M85774 vinodsinha 2020-09-29T08:50:34Z Re: How to search a list of users who have tried to log in often or never logged in? https://community.splunk.com/t5/Splunk-Search/How-to-search-a-list-of-users-who-have-tried-to-log-in-often-or/m-p/283815#M85775 <P>I'm looking for the data sample (Also known as events) which are returned when you run a query. It's impossible to create a regular expression without seeing the patterns in the data sample.. </P> <P>An example would be this </P> <PRE><CODE>2/19/2016 12:01:00 - User gollam logged in 2/19/2016 12:34:01 - User gollam logged out </CODE></PRE> Fri, 19 Feb 2016 15:19:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-a-list-of-users-who-have-tried-to-log-in-often-or/m-p/283815#M85775 skoelpin 2016-02-19T15:19:51Z Re: How to search a list of users who have tried to log in often or never logged in? https://community.splunk.com/t5/Splunk-Search/How-to-search-a-list-of-users-who-have-tried-to-log-in-often-or/m-p/283816#M85776 <P>give me any simple query.</P> Sun, 21 Feb 2016 13:28:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-a-list-of-users-who-have-tried-to-log-in-often-or/m-p/283816#M85776 vinodsinha 2016-02-21T13:28:20Z Re: How to search a list of users who have tried to log in often or never logged in? https://community.splunk.com/t5/Splunk-Search/How-to-search-a-list-of-users-who-have-tried-to-log-in-often-or/m-p/283817#M85777 <P>hi<BR /> try this</P> <PRE><CODE>|set intersect[|rest /services/authentication/users|fields username][search NOT[ search index=_internal (sourcetype=splunk_web_access OR sourcetype=splunkd_access) | fields username ]] </CODE></PRE> Mon, 22 Feb 2016 09:33:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-a-list-of-users-who-have-tried-to-log-in-often-or/m-p/283817#M85777 chimell 2016-02-22T09:33:58Z