Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Query to get admin group log-in events

Ravan
Path Finder
‎12-28-2011 05:29 AM

Is there is any splunk query to get all login events for all users from administrators group.

0 Karma
Reply

Kate_Lawrence-G
Contributor
‎12-30-2011 11:21 AM

Hi,
This depends on our authentication method are you using local or LDAP/AD logins? Either way I think you'd need to use a subsearch that first looks for the user logins and then determines if they are part of the admin group "like" this:

source=<login events> user=* [source=<table or log that determines admin group membership> | fields user] | stats count by user
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...