Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When Was The User Account Created

IRHM73
Motivator
‎02-15-2016 04:57 AM

Hi, I wonder whether someone may be able to help me please.

I'm using the query below to list the current user accounts:

|rest /services/authentication/users splunk_server=local 
 |fields realname
 |rename realname as user
 |table user

Could someone tell me please is there a way to determine when the account was created.

I have tried:

|rest /services/authentication/users splunk_server=local

But there is no such field that I can see, only when the account was last updated.

I just wonder whether someone may be able to point me in the right direction as to where I may find this information.

Many thanks and kind regards

Chris

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎02-15-2016 05:44 AM

I don't think this info is available. If you have a look at your .conf and according .meta files, you can see that this data is not recorded, only last modtime. I doubt the rest endpoint looks any place other than there.

You could search the index _audit for the earliest occurence of user names.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎02-16-2016 05:00 AM

Hi, for those of you who may be interested, I think I may have found a solution to this using the query below:

index=_audit action=edit_user operation=create
|rename object as user
|eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N") 
|convert timeformat="%d/%b/%Y" ctime(timestamp)
|table user timestamp

I hope this helps.

Many thanks and kind regards

Chris

Reply
Solved! Jump to solution

Julian_Gudiel_S
Explorer
‎09-19-2017 06:17 AM

Great ! Thank you !

I modified this query to get the real names :

index=_audit action=edit_user operation=create
| join user type=left [| rest /services/authentication/users splunk_server=local | fields realname, title | rename realname as user_name, title as user]
| join object type=left [| rest /services/authentication/users splunk_server=local | fields realname, title | rename realname as edited_user_name, title as object]
| sort - timestamp
| eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N") 
| convert timeformat="%d/%m/%Y %H:%M:%S.%3N" ctime(timestamp)
| rename user as user_id, object as edited_user_id
| table user_id user_name edited_user_id edited_user_name timestamp
0 Karma
Reply
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎02-15-2016 05:44 AM

I don't think this info is available. If you have a look at your .conf and according .meta files, you can see that this data is not recorded, only last modtime. I doubt the rest endpoint looks any place other than there.

You could search the index _audit for the earliest occurence of user names.

0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎02-15-2016 06:05 AM

Hi @jeffland, that's a shame, but thank you for taking the time to come back to me with this.

Kind regards

Chris

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...