Splunk Search

How to write the search to get the user logon and logoff details on Splunk search head?


Hi Folks,

Could you please help me to get the search for Ldap user logon and logoff activity on Splunk search head?


0 Karma

Splunk Employee
Splunk Employee

To Confirm @somesoni2's comment

index=_audit action=login*

Does pull logins. There are no logouts logged, as most people just close the window. But I tested by actually logging out, and didn't find any events generated.

0 Karma

Revered Legend

You're looking for logs for user login to your Splunk? If yes, then I don't believe there is any logoff events being generated in Splunk but you can use following to see the log-in events.

index=_audit action=login*
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!