Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find out user Log in & Log out for the application

jaibalaraman
Path Finder
‎10-05-2020 05:43 PM

Hi 

I tried the below SPL query which is not working , can anyone help me 

index=aws  sourcetype=* earliest=-30d user="*" action=login OR action=logout | table user status action reason message 

OR

source="*" EventCode=4624 OR EventCode=4634 | table _time Account* Logon*

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-05-2020 10:26 PM

OK, so take for example this query

index=aws  sourcetype=* earliest=-30d user="*" action=login OR action=logout | table user status action reason message

If you run this query in verbose mode (but do last 15 minutes, not last 30 days), then  in the events tab, you will see a list of fields. Do the fields you are using in the search exist?

Do you have permission to view events in the aws index?

In you just use index=aws for the last 15 minutes, do you see any data?

do you have the user and action fields and if you have action, what are the values.

If you are seeing nothing, then it will be one of

  • permissons to the data
  • fields not being extracted, so your search will not work

The best way to resolve this is to look at the field list (in verbose mode) so you can see the extracted fields and their typical values

 

0 Karma
Reply

jaibalaraman
Path Finder
‎10-05-2020 07:55 PM

basically i want to write SPL query to find out user log In & out in our website.

0 Karma
Reply

jaibalaraman
Path Finder
‎10-05-2020 07:53 PM

Hi 

Yes,  i am getting no data found

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-05-2020 07:04 PM

How do you know it's not working? Are you getting 0 results?

Do you know there is data that should appear?

Do all the fields you are searching by exist?

 

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...