Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How can I create a table showing successful logins on a server?

mcoleman2
Explorer
‎09-22-2014 07:40 AM

How do I create a table that lists which user logged in to the windows server and the time that they successfully logged in?

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎09-22-2014 08:55 AM

Depends on your source data - but here may be an example.

host=<your_server> EventCode=4624 | stats latest(login_time) by user

You will most likely need to change the field names to match your data.

View solution in original post

Reply
Solved! Jump to solution

mcoleman2
Explorer
‎09-22-2014 09:28 AM

Windows Server 2003

0 Karma
Reply
Solved! Jump to solution

kmattern
Builder
‎09-22-2014 09:14 AM

In its simplest form, assuming you're searching an IIS log, use something like this

index=IIS sourcetype=IIS sc_status=200 cs_username!="-" | table date, time, cs_username

If you only want the first entry for each user use this

index=IIS sourcetype=IIS sc_status=200 cs_username!="-" | dedup cs_username | table date, time, cs_username

Of course your index and sourcetype may vary but you should get the idea

Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎09-22-2014 09:34 AM

We aren't assuming IIS - We KNOW Windows, it was in the problem description. Be careful using dedup - the search head must pull all matching events forward first, deduplicate (assuming you have the correct time order of events) and then table.

0 Karma
Reply
Solved! Jump to solution

mcoleman2
Explorer
‎09-22-2014 09:27 AM

host= source="WinEventLog:Security" | table _time User

The above code worked well for what I wanted. Thank you both!

0 Karma
Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎09-22-2014 08:55 AM

Depends on your source data - but here may be an example.

host=<your_server> EventCode=4624 | stats latest(login_time) by user

You will most likely need to change the field names to match your data.

Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎09-22-2014 09:25 AM

To more exactly get a search that is useful - we need your Windows Server version.

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎09-22-2014 09:33 AM 
sourcetype=WineventLog:Security EventCode=528 | stats latest(_time) as "Logged In" by user host
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...