Splunk Search

How to edit my search on Windows security event logs to find which user was last logged in on a PC?

Path Finder

Hy,

I'm trying to find which user was last logged in on a PC, but my search doesn't show any results.

Can you pls help?

Thanx!

`windows_idx` sourcetype="wineventlog:security" (Account_Name="*NameofPC*") AND (EventCode=4768 OR EventCode=672)
0 Karma

Splunk Employee
Splunk Employee

This can be a great resource for answering search questions with a specific sourcetype like WinEventLog:Security:
http://gosplunk.com/

SplunkTrust
SplunkTrust

If you know the last time that YOU logged in onto your pc, then you can use your own information to find the right format for the records. Let's say that you logged on about half an hour ago. Let's find your record.

earliest=-45m@m latest=-15m@m  `windows_idx` sourcetype="wineventlog:security"  "*NameofPC*" | head 10

That will find up to 10 records, between 45 and 15 minutes ago, that contain the name of your pc. if that shows no results, then you know your windows_idx macro or your sourcetype or the name of the fields or your NameofPC is wrong. Experiment until you get them right. The results will also show you the correct name and values for EventCode. On my system it is EventID.

Use what you learn to modify your search until it works to bring back YOUR logon records.

After that, you can expand the timeframe to bring in more records for the last day or week or whatever.

Good luck with your hunt!

SplunkTrust
SplunkTrust

By the way, the most common issue is the spelling of the field names, specifically the case of the letters. Check that up front.

0 Karma