Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my search on Windows security event logs to find which user was last logged in on a PC?

aanic
Path Finder
‎01-10-2017 02:07 AM

Hy,

I'm trying to find which user was last logged in on a PC, but my search doesn't show any results.

Can you pls help?

Thanx!

`windows_idx` sourcetype="wineventlog:security" (Account_Name="*NameofPC*") AND (EventCode=4768 OR EventCode=672)
0 Karma
Reply

zshainsky
Splunk Employee
Splunk Employee
‎01-10-2017 09:03 AM

This can be a great resource for answering search questions with a specific sourcetype like WinEventLog:Security:
http://gosplunk.com/

Reply

DalJeanis
Legend
‎01-10-2017 08:48 AM

If you know the last time that YOU logged in onto your pc, then you can use your own information to find the right format for the records. Let's say that you logged on about half an hour ago. Let's find your record. 

earliest=-45m@m latest=-15m@m  `windows_idx` sourcetype="wineventlog:security"  "*NameofPC*" | head 10

That will find up to 10 records, between 45 and 15 minutes ago, that contain the name of your pc. if that shows no results, then you know your windows_idx macro or your sourcetype or the name of the fields or your NameofPC is wrong. Experiment until you get them right. The results will also show you the correct name and values for EventCode. On my system it is EventID.

Use what you learn to modify your search until it works to bring back YOUR logon records.

After that, you can expand the timeframe to bring in more records for the last day or week or whatever.

Good luck with your hunt!

Reply

DalJeanis
Legend
‎01-10-2017 08:50 AM

By the way, the most common issue is the spelling of the field names, specifically the case of the letters. Check that up front.

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...