This question has likely been asked, but the language makes it difficult to search for.
I'm looking to create a search which lists every time someone has logged in to the Splunk Enterprise interface. Is there a simple search that outputs this data? Thanks very much!
Try looking at the _audit
index.
For example, just exploring:
index=_audit login
reveals there is a field action
with a value login attempt
(note the space), furthermore, there is a field info
that has the values either succeeded
or failed
. which leads us towards a better search like:
index=_audit action="login attempt" info=succeeded
| timechart count by user
or something of the sort.
Try looking at the _audit
index.
For example, just exploring:
index=_audit login
reveals there is a field action
with a value login attempt
(note the space), furthermore, there is a field info
that has the values either succeeded
or failed
. which leads us towards a better search like:
index=_audit action="login attempt" info=succeeded
| timechart count by user
or something of the sort.
Thanks, this got it! Much appreciated.