How to view oldest and last login of Splunk users?


For auditing and administration purposes I was trying to get a fast listing of first/last login times of all Splunk users.
So for a longer period not used accounts could be looked in to, or accounts that have never been used at all.

But to my surprise, and after trying all the similar questions on >answers it all is being fed from _internal or _audit.
Luckily we set the retention period longer than the defaults, but one seems only to be able to find activity within the period of those indexes. If you logged on before the earliest time event you appear not active.

On the searchhead ../etc/users/{userid}/ are files present for all users. There seems to be no file of which the timestamp indicates last login activity. One would assume an internal repository or user profile manager logs this anywhere.

So how to find this information on all users currently existing in Splunk - or what kind of sources/events to perhaps | collect to a specific auditing index if you have to rely short term on _internal/_audit?

What I've looked into (from the Monitor app):

|rest /servicesNS/-/-/authentication/users splunk_server=local

gives a nice view, but it lacks the columns that you have when e.g. looking into index sizes and parameters, like minTime or maxTime/last.

0 Karma

Revered Legend

I don't believe the first login type of specific event is logged in Splunk anywhere for users. It just logs the login events and keep it for the retention period of the index _audit. So it's easier to get last login but not first login. If you're just doing it for the auditing of which accounts are actually utilizing Splunk and which are not (so that you can clean them up may be), I would suggest to decide on a time-based criteria like "Accounts not logged in last 4 months" (no _audit login events in last 4 months), "Accounts logging monthly" (1-4 events in last 4 months),...etc. The query in the post referenced in @javiergn would give you enough data to categorized them based on max(timestamp) as _time

0 Karma

Super Champion
0 Karma


Thank you for replying; unfortunately not, looked into all related topics. That solution works fine, except it relies again on _audit with by default too little retention.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...