Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find out user Log in & Log out for the application

jaibalaraman
Path Finder
‎10-05-2020 05:43 PM

Hi 

I tried the below SPL query which is not working , can anyone help me 

index=aws  sourcetype=* earliest=-30d user="*" action=login OR action=logout | table user status action reason message 

OR

source="*" EventCode=4624 OR EventCode=4634 | table _time Account* Logon*

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-05-2020 10:26 PM

OK, so take for example this query

index=aws  sourcetype=* earliest=-30d user="*" action=login OR action=logout | table user status action reason message

If you run this query in verbose mode (but do last 15 minutes, not last 30 days), then  in the events tab, you will see a list of fields. Do the fields you are using in the search exist?

Do you have permission to view events in the aws index?

In you just use index=aws for the last 15 minutes, do you see any data?

do you have the user and action fields and if you have action, what are the values.

If you are seeing nothing, then it will be one of

  • permissons to the data
  • fields not being extracted, so your search will not work

The best way to resolve this is to look at the field list (in verbose mode) so you can see the extracted fields and their typical values

 

0 Karma
Reply

jaibalaraman
Path Finder
‎10-05-2020 07:55 PM

basically i want to write SPL query to find out user log In & out in our website.

0 Karma
Reply

jaibalaraman
Path Finder
‎10-05-2020 07:53 PM

Hi 

Yes,  i am getting no data found

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-05-2020 07:04 PM

How do you know it's not working? Are you getting 0 results?

Do you know there is data that should appear?

Do all the fields you are searching by exist?

 

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...