Splunk Search

List of user who have logged into Splunk in the last 30 days and what Apps/Indexes they accessed.

aknsun
Path Finder

Hi,
Looking to get some help with a query for the following.

List of user who have logged into Splunk in the last 30 days and what Apps/Indexes they accessed.

Thanks.

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi aknsun,
to know the logged in Splunk users you have to run a search like this

index=_audit sourcetype = audittrail action="login attempt" 

To know the App accessed you can use something like this:

index=_internal sourcetype="splunk_web_access" method="GET" status="200" user!=-
| rex field=uri ".*\/app\/(?<app>[^\/]*)\/"

To correlate them, you could run something like this:

(index=_internal sourcetype="splunk_web_access" method="GET" status="200" user!=-) OR (index=_audit sourcetype = audittrail action="login attempt")
| rex field=uri ".*\/app\/(?<app>[^\/]*)\/"
| stats count BY user app

Ciao.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi aknsun,
to know the logged in Splunk users you have to run a search like this

index=_audit sourcetype = audittrail action="login attempt" 

To know the App accessed you can use something like this:

index=_internal sourcetype="splunk_web_access" method="GET" status="200" user!=-
| rex field=uri ".*\/app\/(?<app>[^\/]*)\/"

To correlate them, you could run something like this:

(index=_internal sourcetype="splunk_web_access" method="GET" status="200" user!=-) OR (index=_audit sourcetype = audittrail action="login attempt")
| rex field=uri ".*\/app\/(?<app>[^\/]*)\/"
| stats count BY user app

Ciao.
Giuseppe

0 Karma

aknsun
Path Finder

Thanks @gcusello. That worked.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...