Splunk Search

How to search a list of users who have tried to log in often or never logged in?

New Member

Hi,

Is there any search to get a list of users who have tried to log in often or never logged in?

Thanks,

V

0 Karma

Motivator

hi
try this

|set intersect[|rest /services/authentication/users|fields username][search NOT[ search index=_internal (sourcetype=splunk_web_access OR sourcetype=splunkd_access) | fields username ]]
0 Karma

SplunkTrust
SplunkTrust

I would suggest creating a field for users who logged in then create another field for users who logged out then do a ...| stats count by

To make the fields you will need to find a pattern then write a regular expression to capture this.. Post some a sample and I'll help write your regular expression

0 Karma

New Member

similar like this query but without csv option:-

| inputcsv allusers.csv | search NOT [ search index=internal (sourcetype=splunkwebaccess OR sourcetype=splunkdaccess) | fields user | dedup user ]

0 Karma

SplunkTrust
SplunkTrust

I'm looking for the data sample (Also known as events) which are returned when you run a query. It's impossible to create a regular expression without seeing the patterns in the data sample..

An example would be this

2/19/2016 12:01:00 - User gollam logged in 
2/19/2016 12:34:01 - User gollam logged out 
0 Karma

New Member

give me any simple query.

0 Karma

New Member

can you give me regular exp to run the query?

0 Karma

New Member

something like this :-
index=internal sourcetype=splunkweb_access | table user | dedup user

0 Karma

SplunkTrust
SplunkTrust

If you provide a data sample..

0 Karma