Splunk Search

How can I create a table showing successful logins on a server?

mcoleman2
Explorer

How do I create a table that lists which user logged in to the windows server and the time that they successfully logged in?

Tags (4)
1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

Depends on your source data - but here may be an example.

host=<your_server> EventCode=4624 | stats latest(login_time) by user

You will most likely need to change the field names to match your data.

View solution in original post

mcoleman2
Explorer

Windows Server 2003

0 Karma

kmattern
Builder

In its simplest form, assuming you're searching an IIS log, use something like this

index=IIS sourcetype=IIS sc_status=200 cs_username!="-" | table date, time, cs_username

If you only want the first entry for each user use this

index=IIS sourcetype=IIS sc_status=200 cs_username!="-" | dedup cs_username | table date, time, cs_username

Of course your index and sourcetype may vary but you should get the idea

alacercogitatus
SplunkTrust
SplunkTrust

We aren't assuming IIS - We KNOW Windows, it was in the problem description. Be careful using dedup - the search head must pull all matching events forward first, deduplicate (assuming you have the correct time order of events) and then table.

0 Karma

mcoleman2
Explorer

host= source="WinEventLog:Security" | table _time User

The above code worked well for what I wanted. Thank you both!

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Depends on your source data - but here may be an example.

host=<your_server> EventCode=4624 | stats latest(login_time) by user

You will most likely need to change the field names to match your data.

alacercogitatus
SplunkTrust
SplunkTrust

To more exactly get a search that is useful - we need your Windows Server version.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust
sourcetype=WineventLog:Security EventCode=528 | stats latest(_time) as "Logged In" by user host
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...