Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Query user login over a period of time

Skadrir
Explorer
‎07-17-2024 06:00 AM

I am trying to query our windows and linux indexes to verify how many times a user has logged in over a period of time.

 

Currently, I only care about the last 7 days. I've tried to run some queries, but it's not very fruitful.

 

Can I gain some assistance with generating a query for determining the number of logins over a period of time, please?

 

Thank you.

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fredclown
Builder
‎07-17-2024 11:06 AM

Is something like this what you are looking for? Set the time range picker to your desired range.

index=windows EventCode=4624 Account_Name IN ("Larry","Curly","Moe")
| eval Logon_Account_Name=mvindex(Account_Name, 1)
| table _time, ComputerName, Logon_Account_Name
| sort _time

 

View solution in original post

Reply
Solved! Jump to solution
Solution

fredclown
Builder
‎07-17-2024 11:06 AM

Is something like this what you are looking for? Set the time range picker to your desired range.

index=windows EventCode=4624 Account_Name IN ("Larry","Curly","Moe")
| eval Logon_Account_Name=mvindex(Account_Name, 1)
| table _time, ComputerName, Logon_Account_Name
| sort _time

 

Reply
Solved! Jump to solution

Skadrir
Explorer
‎07-17-2024 01:14 PM

I tailored the query to the appropriate fields and viola it worked.

 

I appreciate your efforts and thank you for your time.

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎07-17-2024 09:12 AM

This is a Splunk forum.  No one here knows what your data source looks like. To ask an answerable data analytics question, follow these golden rules; nay, call them the four commandments:

  • Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search that volunteers here do not have to look at.
  • Illustrate the desired output from illustrated data.
  • Explain the logic between illustrated data and desired output without SPL.
  • If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious.
0 Karma
Reply
Solved! Jump to solution

Skadrir
Explorer
‎07-17-2024 09:47 AM

Effectively I want to comb through the windows event logs to determine logon dates and times for a specific user(s) and output those entries into a table with username, date and time. We have a windows index and we want to query the last seven days and the number of logins for a given user.

I would imagine it'd be fairly simple to do, I just don't SPL. This is why I engaged the brain trust online in this forum. I don't splunk as a day job, so I'm not familiar with the intricacies with SPL.

In short, give all entries from windows security logs for the last seven days from the windows index for a specific user with event ID 4624.

Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...