Splunk Search

How to search for who and when accessed the server?

New Member


I would like to search who (user) and when accessed the server (server_name)

I make a search like this but I don't get the right results.

dest="server_name" user="*" src="*" | table _time user src dest action

Can please somebody help me.

0 Karma


This depend on whether the server is Windows, unix, or something else.

To research this, use your own userid and the name of a server that you normally log on to, run a verbose search like this...

index=* "myserver" "myuserid"

Look at the results you get for the data and time you last logged on.

If it's Windows, you will be looking at an event 4624 (or some older ones in the 500 series).

If it's Unix, you will probably be looking at a PAM accepted record or something similar.

If it's an IBM mainframe, it will be a RACF record.

Look at the fields that are available on that record. Maybe you've misspelled them, or mis-capitalized them, or something. Maybe they just aren't there.

If that isn't enough to solve your problem, then update your question details showing the form of the record, with any confidential information masked. Change ip to or, host name to myhost.mycompany.com, userid to myuserid... stuff like that.

We'll get you through this.

0 Karma


marked code. Also, in general, you should always put the index name in your code.

0 Karma


What results are you getting and what do you expect to get?

If this reply helps you, Karma would be appreciated.
0 Karma

New Member

I get:

_time user src dest action
2017-08-09 14:36:04 n/a server-02 server-01 blocked
2017-08-09 11:41:09 n/a server-02 server-01 blocked
2017-08-09 09:55:21 n/a server-02 server-01 blocked

I'm supposed to get the users(usernames) who connect to server-01 (destination).
Am I missing something?

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...