Getting Data In

Logging Splunk enterprise sign ins?

ceichhorn
Engager

This question has likely been asked, but the language makes it difficult to search for.

I'm looking to create a search which lists every time someone has logged in to the Splunk Enterprise interface. Is there a simple search that outputs this data? Thanks very much!

Tags (3)
0 Karma
1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee

Try looking at the _audit index.

For example, just exploring:

index=_audit login

reveals there is a field action with a value login attempt (note the space), furthermore, there is a field info that has the values either succeeded or failed. which leads us towards a better search like:

index=_audit action="login attempt" info=succeeded
| timechart count by user

or something of the sort.

View solution in original post

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

Try looking at the _audit index.

For example, just exploring:

index=_audit login

reveals there is a field action with a value login attempt (note the space), furthermore, there is a field info that has the values either succeeded or failed. which leads us towards a better search like:

index=_audit action="login attempt" info=succeeded
| timechart count by user

or something of the sort.

0 Karma

ceichhorn
Engager

Thanks, this got it! Much appreciated.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...