Getting Data In

Windows Last Logon

Ed_Alias
Path Finder

Hi,

i'm trying to make a request to get the last logon for each users in my windows infrastructure;

i have a simple request for now :

host=* EventCode=4624

i can't find a time stamp for events, how do i get event time ?

a second need would be to only keep in report the last "time"

Thanks for comunity advises 😃

Tags (3)
0 Karma
1 Solution

alterdego
Path Finder

This should give you something more along the lines of what you were looking for:
EventCode=4624 | dedup ComputerName | table ComputerName _time

Not exactly what you asked for but to get more useful results you might want to also examine the Account_Name, Security_ID and Logon_Type fields.

View solution in original post

alterdego
Path Finder

This should give you something more along the lines of what you were looking for:
EventCode=4624 | dedup ComputerName | table ComputerName _time

Not exactly what you asked for but to get more useful results you might want to also examine the Account_Name, Security_ID and Logon_Type fields.

Ed_Alias
Path Finder

i guess you are right i already red that splunk is not very friendly to non english logs ... i 'll try your workaround

0 Karma

alterdego
Path Finder

As I read it "Nom du compte " is being passed to the table command as a string and not a field.

If I wasn't getting the fields in the table I wanted I would try something like:
EventCode=4624 sourcetype="WinEventLog:Security" ComputerName!="*$" | dedup ComputerName | table *
which should create a table with all the fields. From that I would identify the columns I wanted to keep and use the filed values after the table command to create the final version.

Ed_Alias
Path Finder

hey, i'm almost getting the report as i want : )

when i extract as a CSV i only get _time field, here is my request :

EventCode=4624 sourcetype="WinEventLog:Security" NOT "Nom du compte "="*$" | dedup "Nom du compte " | table "Nom du compte " _time

0 Karma

alterdego
Path Finder

The _time field is the internal time stamp that Splunk assigns to an event.
This should provide more insight:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usedefaultfields
Good Luck!

0 Karma

Ed_Alias
Path Finder

That seems to be what i'm looking for : )

what does the "_time" stands for ? it takes a timestamp of field ?

0 Karma

PPape
Contributor

Maybe you should take a look on this:
https://apps.splunk.com/app/1448/

I think this App fits for you.

0 Karma

Ed_Alias
Path Finder

thanks i'll check that app 😃

but i still would like to have a request to do that

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...