Splunk Cloud Platform

How to get all users with roles and last login

Marta88
Explorer

Hi,

I would like to get the list of all users, with roles and last login via splunk query.

I tried the following query with a time range of "alltime" but it shows incorrect date for some users: 

index=_audit action="login attempt" | stats max(timestamp) by user

Thank you,

Kind regards

Marta

 

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

How do you know it is incorrect? How are you validating the results?

0 Karma

Marta88
Explorer

I know that a colleague of mine login to the system today, instead for that query I get that the last login is in 2021.

KInd regards

Marta

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you found any events in _audit for them? (Try searching by their id)

0 Karma

Marta88
Explorer

Yes there is an event for my colleague for today.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What action is in that event? Why was it not found by your search?

0 Karma

Marta88
Explorer

I solved it using the "first" function

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...