Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search for users Splunk login activity for * days

crlunde
Loves-to-Learn Everything
‎01-21-2022 12:34 PM

Hello,

I'm trying to search Splunk for user activity pertaining to logging into Splunk for X # of days. Everything I've tried so far returns some results but not all.  I've searched the _audit index as well as |rest /services/authentication/httpauth-tokens | fields userName, timeAccessed |dedup userName sortby timeAccessed. 

Does anyone have a search for this or a dashboard that would pull this information?

I need:

user, date last accessed at a minimum.

 

Thanks,

Craig

 
 

 

 
 
Labels (4)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-22-2022 08:56 AM

Hi

something like this

index = _audit user="*" action="login attempt" info=succeeded
| stats count values(_time) as lTimes by users
| convert ctime(lTimes) as loginTimes

r. Ismo  

0 Karma
Reply

crlunde
Loves-to-Learn Everything
‎01-24-2022 12:07 PM

Thank you for your response. 

Unfortunately that query didn't pull any data.

I can get user / last logon date using this query but cannot pull data for older dates.

| rest /services/authentication/httpauth-tokens | fields userName, timeAccessed | dedup suerName sort by timeAccessed

0 Karma
Reply
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>

Get Updates on the Splunk Community!