Re: How to search a list of users who have tried t...

vinodsinha · ‎02-17-2016

Hi,

Is there any search to get a list of users who have tried to log in often or never logged in?

Thanks,

V

chimell · ‎02-22-2016

hi
try this

|set intersect[|rest /services/authentication/users|fields username][search NOT[ search index=_internal (sourcetype=splunk_web_access OR sourcetype=splunkd_access) | fields username ]]

skoelpin · ‎02-17-2016

I would suggest creating a field for users who logged in then create another field for users who logged out then do a ...| stats count by

To make the fields you will need to find a pattern then write a regular expression to capture this.. Post some a sample and I'll help write your regular expression

vinodsinha · ‎02-19-2016

similar like this query but without csv option:-

| inputcsv allusers.csv | search NOT [ search index=_internal (sourcetype=splunk_web_access OR sourcetype=splunkd_access) | fields user | dedup user ]

skoelpin · ‎02-19-2016

I'm looking for the data sample (Also known as events) which are returned when you run a query. It's impossible to create a regular expression without seeing the patterns in the data sample..

An example would be this

2/19/2016 12:01:00 - User gollam logged in 
2/19/2016 12:34:01 - User gollam logged out

vinodsinha · ‎02-21-2016

give me any simple query.

vinodsinha · ‎02-17-2016

can you give me regular exp to run the query?

vinodsinha · ‎02-19-2016

something like this :-
index=_internal sourcetype=splunk_web_access | table user | dedup user

skoelpin · ‎02-18-2016

If you provide a data sample..

How to search a list of users who have tried to log in often or never logged in?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?