Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- User last login date
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sanju005ind
Communicator
07-28-2010
02:35 PM
I have a about 250 users and I would like to to know when was the last time each of them have logged in. Is there a query that I can use.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wollinet
Path Finder
07-28-2010
03:36 PM
Try
index=_audit action="login attempt" | stats max(timestamp) by user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chrisitanmoleck
Path Finder
08-20-2017
11:53 PM
The answer of wollinet works only for the current year, because the timestamp is mm-dd-yy.
So if you did login in December 2016 and January 2017, the last login will be December 2016.
Is it possible to modify the query that the order is yy-mm-dd?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bjoernhansen
Path Finder
11-07-2017
02:58 AM
Should be like this:
iindex=_audit action="login attempt" | stats latest(user) by user
It should actually not matter what you put inside the latest()...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wollinet
Path Finder
07-28-2010
03:36 PM
Try
index=_audit action="login attempt" | stats max(timestamp) by user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sanju005ind
Communicator
07-28-2010
03:54 PM
That works! Thanks a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stanwin
Contributor
07-14-2015
03:37 AM
action="login attempt" is not logged for 6.2.2 it seems..
works for 6.1.4 Build 233537
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
marcospmr
Explorer
03-11-2016
11:54 AM
It works ok for 6.3.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sanju005ind
Communicator
07-28-2010
02:48 PM
They are splunk users. I would like to know when each user last logged in Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ftk
Motivator
07-28-2010
02:47 PM
Can you elaborate a bit please? Are they splunk users and you want to look at splunk's audit logs or are they users in a different system? If they are a different system, what system, how do you get the logs, can you provide sample data?
You'll get a better answer the more detail you provide.
Get Updates on the Splunk Community!
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games: Further Dashboarding Techniques (Part 8)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
