Solved: List of user who have logged into Splunk in the la...

aknsun · ‎10-15-2019

Hi,
Looking to get some help with a query for the following.

List of user who have logged into Splunk in the last 30 days and what Apps/Indexes they accessed.

Thanks.

gcusello · ‎10-15-2019

Hi aknsun,
to know the logged in Splunk users you have to run a search like this

index=_audit sourcetype = audittrail action="login attempt"

To know the App accessed you can use something like this:

index=_internal sourcetype="splunk_web_access" method="GET" status="200" user!=-
| rex field=uri ".*\/app\/(?<app>[^\/]*)\/"

To correlate them, you could run something like this:

(index=_internal sourcetype="splunk_web_access" method="GET" status="200" user!=-) OR (index=_audit sourcetype = audittrail action="login attempt")
| rex field=uri ".*\/app\/(?<app>[^\/]*)\/"
| stats count BY user app

Ciao.
Giuseppe

View solution in original post

gcusello · ‎10-15-2019

Hi aknsun,
to know the logged in Splunk users you have to run a search like this

index=_audit sourcetype = audittrail action="login attempt"

To know the App accessed you can use something like this:

index=_internal sourcetype="splunk_web_access" method="GET" status="200" user!=-
| rex field=uri ".*\/app\/(?<app>[^\/]*)\/"

To correlate them, you could run something like this:

(index=_internal sourcetype="splunk_web_access" method="GET" status="200" user!=-) OR (index=_audit sourcetype = audittrail action="login attempt")
| rex field=uri ".*\/app\/(?<app>[^\/]*)\/"
| stats count BY user app

Ciao.
Giuseppe

aknsun · ‎10-15-2019

Thanks @gcusello. That worked.

List of user who have logged into Splunk in the last 30 days and what Apps/Indexes they accessed.

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?