I am trying to search for a list of users Last Logon to Windows through SPLUNK... for an individual user I use the search
USERNAME logon eventtype=windowslogonsuccess |table User_time
However, I am trying to do this for around 300 users.. is there a way to do this on bulk by importing a lookup .csv file and getting the search to look at the username & export a new list with the last logon date populated?
Any help would be great
you have to create a lookup with the user_names list, possibly using as column name the same name of the field in your logs (e.g. USERNAME ).
After you could run a search like this:
index=wineventlog eventtype=windows_logon_success [ | inputlookup user_name.csv | fields USERNAME ] | stats latest(_time) AS last_logon_time BY USERNAME
you have only to define the time period of your search (e.g. last week)
Put attention to the case of USERNAME: if you have the dubt that there could be differences between upper and lower case, you have to modify the above search (it's slower!)
index=wineventlog eventtype=windows_logon_success | eval USERNAME=upper(USERNAME) [ | inputlookup user_name.csv | eval USERNAME=upper(USERNAME) | fields USERNAME ] | stats latest(_time) AS last_logon_time BY USERNAME
Why not do it like this:
logon eventtype=windows_logon_success User_time=* |stats latest(User_time) by userName
Where userName is whatever the userName field is in your data. No need for a lookup if I’m following your question correctly.