Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my search on Windows security event logs to find which user was last logged in on a PC?

aanic
Path Finder
‎01-10-2017 02:07 AM

Hy,

I'm trying to find which user was last logged in on a PC, but my search doesn't show any results.

Can you pls help?

Thanx!

`windows_idx` sourcetype="wineventlog:security" (Account_Name="*NameofPC*") AND (EventCode=4768 OR EventCode=672)
0 Karma
Reply

zshainsky
Splunk Employee
Splunk Employee
‎01-10-2017 09:03 AM

This can be a great resource for answering search questions with a specific sourcetype like WinEventLog:Security:
http://gosplunk.com/

Reply

DalJeanis
Legend
‎01-10-2017 08:48 AM

If you know the last time that YOU logged in onto your pc, then you can use your own information to find the right format for the records. Let's say that you logged on about half an hour ago. Let's find your record. 

earliest=-45m@m latest=-15m@m  `windows_idx` sourcetype="wineventlog:security"  "*NameofPC*" | head 10

That will find up to 10 records, between 45 and 15 minutes ago, that contain the name of your pc. if that shows no results, then you know your windows_idx macro or your sourcetype or the name of the fields or your NameofPC is wrong. Experiment until you get them right. The results will also show you the correct name and values for EventCode. On my system it is EventID.

Use what you learn to modify your search until it works to bring back YOUR logon records.

After that, you can expand the timeframe to bring in more records for the last day or week or whatever.

Good luck with your hunt!

Reply

DalJeanis
Legend
‎01-10-2017 08:50 AM

By the way, the most common issue is the spelling of the field names, specifically the case of the letters. Check that up front.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...