Splunk Search

How to write the search to get the user logon and logoff details on Splunk search head?

lksridhar
Explorer

Hi Folks,

Could you please help me to get the search for Ldap user logon and logoff activity on Splunk search head?

Thanks,
Sridhar

0 Karma

brreeves_splunk
Splunk Employee
Splunk Employee

To Confirm @somesoni2's comment

index=_audit action=login*

Does pull logins. There are no logouts logged, as most people just close the window. But I tested by actually logging out, and didn't find any events generated.

0 Karma

somesoni2
Revered Legend

You're looking for logs for user login to your Splunk? If yes, then I don't believe there is any logoff events being generated in Splunk but you can use following to see the log-in events.

index=_audit action=login*
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!