Splunk Search

chopping up lastlog

JJ_of_c9
Engager

I have managed to get our linux hosts' lastlog data in our Splunk> (version 5.0.2, build 149561) easily enough, but what I am trying to accomplish (with any additional app installs, thanks) is "chop up" the lastlog results into a
chart by host, user, ip and date.

I tried at Extract Fields on the results and could NOT get it to recognize a list of 40 names?
20 Most Common and 20 'Random' names either together or separately both return "No regex could be learned. Try providing different examples or restriction."

I tried the actual names from "sample events" and it just barks the same message.
Even the simple names list (Lucy Ricky Fred Ethel) fails.

We have the Splunk_TA_nix installed.

Sample data via splunk shows:

USERNAME FROM LATEST

root xx.xxx.61.95 Jun 5 06:15:58 2013

some_user isp-24-249-207- Jun 4 08:03:29 2013

another_user what.ever Jun 2 13:00:15 2013

Edit: Wed Jun 05, 2013 - 1:01:38 PM EDT

Extracted Fields vs Indexed Fields...so I want to extract the usernames from the output of

sourcetype="lastlog" host="*"

Fri Jun 07, 2013 - 2:22:40 PM EDT
Some progress...
\w+\s+\w+\s+\w+\s+(?P[^ ]+)
but this only grabs "root" and one other username
so, still banging away...

Thanks

Tags (1)
1 Solution

glitchcowboy
Path Finder

Is this what you're looking for?:

index=os sourcetype=lastlog|multikv|table host,LATEST,FROM,USERNAME

View solution in original post

glitchcowboy
Path Finder

Is this what you're looking for?:

index=os sourcetype=lastlog|multikv|table host,LATEST,FROM,USERNAME

mike11339
Explorer

I also found this format to be useful and easy to read.

sourcetype="lastlog" |dedup host| multikv |stats list(USERNAME) AS login_user, list(LATEST) AS login_time by host

0 Karma

piebob
Splunk Employee
Splunk Employee

jj: if glitch's answer solved your problem, please accept his answer by checking the checkbox. thanks!

0 Karma

JJ_of_c9
Engager

Very close and it gives me so much to work with. I can shape the output further thanks to you and this working example.

sourcetype="lastlog"| multikv|table host,USERNAME,LATEST,FROM | dedup host sortby lastlogin_time | table host,USERNAME,LATEST,FROM

Thank you very much!

John Jones of

cirrhus9.com

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...