Solved: Re: User last login date

sanju005ind · ‎07-28-2010

I have a about 250 users and I would like to to know when was the last time each of them have logged in. Is there a query that I can use.

wollinet · ‎07-28-2010

Try

index=_audit action="login attempt" | stats max(timestamp) by user

View solution in original post

chrisitanmoleck · ‎08-20-2017

The answer of wollinet works only for the current year, because the timestamp is mm-dd-yy.
So if you did login in December 2016 and January 2017, the last login will be December 2016.

Is it possible to modify the query that the order is yy-mm-dd?

bjoernhansen · ‎11-07-2017

Should be like this:
iindex=_audit action="login attempt" | stats latest(user) by user

It should actually not matter what you put inside the latest()...

wollinet · ‎07-28-2010

Try

index=_audit action="login attempt" | stats max(timestamp) by user

sanju005ind · ‎07-28-2010

That works! Thanks a lot.

stanwin · ‎07-14-2015

action="login attempt" is not logged for 6.2.2 it seems..

works for 6.1.4 Build 233537

marcospmr · ‎03-11-2016

It works ok for 6.3.

sanju005ind · ‎07-28-2010

They are splunk users. I would like to know when each user last logged in Splunk.

ftk · ‎07-28-2010

Can you elaborate a bit please? Are they splunk users and you want to look at splunk's audit logs or are they users in a different system? If they are a different system, what system, how do you get the logs, can you provide sample data?

You'll get a better answer the more detail you provide.

User last login date

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation