How to get all users with roles and last login

Marta88 · ‎08-28-2023

Hi,

I would like to get the list of all users, with roles and last login via splunk query.

I tried the following query with a time range of "alltime" but it shows incorrect date for some users:

index=_audit action="login attempt" | stats max(timestamp) by user

Thank you,

Kind regards

Marta

ITWhisperer · ‎08-28-2023

How do you know it is incorrect? How are you validating the results?

Marta88 · ‎08-28-2023

I know that a colleague of mine login to the system today, instead for that query I get that the last login is in 2021.

KInd regards

Marta

ITWhisperer · ‎08-28-2023

Have you found any events in _audit for them? (Try searching by their id)

Marta88 · ‎08-28-2023

Yes there is an event for my colleague for today.

ITWhisperer · ‎08-28-2023

What action is in that event? Why was it not found by your search?

Marta88 · ‎08-28-2023

I solved it using the "first" function

Are you a member of the Splunk Community?