Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Windows Last Logon against a .csv file

WPDITSec
New Member
‎11-08-2017 03:21 AM

I am trying to search for a list of users Last Logon to Windows through SPLUNK... for an individual user I use the search

USERNAME logon eventtype=windows_logon_success |table User_time

However, I am trying to do this for around 300 users.. is there a way to do this on bulk by importing a lookup .csv file and getting the search to look at the username & export a new list with the last logon date populated?

Any help would be great

Thanks

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎11-08-2017 03:55 AM

Why not do it like this:

 logon eventtype=windows_logon_success User_time=* |stats latest(User_time) by userName

Where userName is whatever the userName field is in your data. No need for a lookup if I’m following your question correctly.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-08-2017 03:29 AM

Hi WPDITSec,
you have to create a lookup with the user_names list, possibly using as column name the same name of the field in your logs (e.g. USERNAME ).
After you could run a search like this:

index=wineventlog eventtype=windows_logon_success [ | inputlookup user_name.csv | fields USERNAME ]
| stats latest(_time) AS last_logon_time BY USERNAME

you have only to define the time period of your search (e.g. last week)

Put attention to the case of USERNAME: if you have the dubt that there could be differences between upper and lower case, you have to modify the above search (it's slower!)

index=wineventlog eventtype=windows_logon_success 
| eval USERNAME=upper(USERNAME)
[ | inputlookup user_name.csv | eval USERNAME=upper(USERNAME) | fields USERNAME ]
| stats latest(_time) AS last_logon_time BY USERNAME

Bye.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...