Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Windows Last Logon against a .csv file

WPDITSec
New Member
‎11-08-2017 03:21 AM

I am trying to search for a list of users Last Logon to Windows through SPLUNK... for an individual user I use the search

USERNAME logon eventtype=windows_logon_success |table User_time

However, I am trying to do this for around 300 users.. is there a way to do this on bulk by importing a lookup .csv file and getting the search to look at the username & export a new list with the last logon date populated?

Any help would be great

Thanks

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎11-08-2017 03:55 AM

Why not do it like this:

 logon eventtype=windows_logon_success User_time=* |stats latest(User_time) by userName

Where userName is whatever the userName field is in your data. No need for a lookup if I’m following your question correctly.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-08-2017 03:29 AM

Hi WPDITSec,
you have to create a lookup with the user_names list, possibly using as column name the same name of the field in your logs (e.g. USERNAME ).
After you could run a search like this:

index=wineventlog eventtype=windows_logon_success [ | inputlookup user_name.csv | fields USERNAME ]
| stats latest(_time) AS last_logon_time BY USERNAME

you have only to define the time period of your search (e.g. last week)

Put attention to the case of USERNAME: if you have the dubt that there could be differences between upper and lower case, you have to modify the above search (it's slower!)

index=wineventlog eventtype=windows_logon_success 
| eval USERNAME=upper(USERNAME)
[ | inputlookup user_name.csv | eval USERNAME=upper(USERNAME) | fields USERNAME ]
| stats latest(_time) AS last_logon_time BY USERNAME

Bye.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...