How to find out user Log in & Log out for the app...

jaibalaraman · ‎10-05-2020

Hi

I tried the below SPL query which is not working , can anyone help me

index=aws sourcetype=* earliest=-30d user="*" action=login OR action=logout | table user status action reason message

OR

source="*" EventCode=4624 OR EventCode=4634 | table _time Account* Logon*

bowesmana · ‎10-05-2020

OK, so take for example this query

index=aws  sourcetype=* earliest=-30d user="*" action=login OR action=logout | table user status action reason message

If you run this query in verbose mode (but do last 15 minutes, not last 30 days), then in the events tab, you will see a list of fields. Do the fields you are using in the search exist?

Do you have permission to view events in the aws index?

In you just use index=aws for the last 15 minutes, do you see any data?

do you have the user and action fields and if you have action, what are the values.

If you are seeing nothing, then it will be one of

permissons to the data
fields not being extracted, so your search will not work

The best way to resolve this is to look at the field list (in verbose mode) so you can see the extracted fields and their typical values

jaibalaraman · ‎10-05-2020

basically i want to write SPL query to find out user log In & out in our website.

jaibalaraman · ‎10-05-2020

Hi

Yes, i am getting no data found

bowesmana · ‎10-05-2020

How do you know it's not working? Are you getting 0 results?

Do you know there is data that should appear?

Do all the fields you are searching by exist?

How to find out user Log in & Log out for the application

other

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor