- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- How to view oldest and last login of Splunk users?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to view oldest and last login of Splunk users?
For auditing and administration purposes I was trying to get a fast listing of first/last login times of all Splunk users.
So for a longer period not used accounts could be looked in to, or accounts that have never been used at all.
But to my surprise, and after trying all the similar questions on >answers it all is being fed from _internal or _audit.
Luckily we set the retention period longer than the defaults, but one seems only to be able to find activity within the period of those indexes. If you logged on before the earliest time event you appear not active.
On the searchhead ../etc/users/{userid}/ are files present for all users. There seems to be no file of which the timestamp indicates last login activity. One would assume an internal repository or user profile manager logs this anywhere.
So how to find this information on all users currently existing in Splunk - or what kind of sources/events to perhaps | collect to a specific auditing index if you have to rely short term on _internal/_audit?
What I've looked into (from the Monitor app):
|rest /servicesNS/-/-/authentication/users splunk_server=local
gives a nice view, but it lacks the columns that you have when e.g. looking into index sizes and parameters, like minTime or maxTime/last.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't believe the first login type of specific event is logged in Splunk anywhere for users. It just logs the login events and keep it for the retention period of the index _audit. So it's easier to get last login but not first login. If you're just doing it for the auditing of which accounts are actually utilizing Splunk and which are not (so that you can clean them up may be), I would suggest to decide on a time-based criteria like "Accounts not logged in last 4 months" (no _audit login events in last 4 months), "Accounts logging monthly" (1-4 events in last 4 months),...etc. The query in the post referenced in @javiergn would give you enough data to categorized them based on max(timestamp) as _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the following help maybe?
https://answers.splunk.com/answers/368895/how-do-i-edit-my-search-to-identify-inactive-users.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for replying; unfortunately not, looked into all related topics. That solution works fine, except it relies again on _audit with by default too little retention.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
