I have a about 250 users and I would like to to know when was the last time each of them have logged in. Is there a query that I can use.
Can you elaborate a bit please? Are they splunk users and you want to look at splunk's audit logs or are they users in a different system? If they are a different system, what system, how do you get the logs, can you provide sample data?
You'll get a better answer the more detail you provide.
The answer of wollinet works only for the current year, because the timestamp is mm-dd-yy.
So if you did login in December 2016 and January 2017, the last login will be December 2016.
Is it possible to modify the query that the order is yy-mm-dd?
Should be like this:
index=_audit action="login attempt" | stats latest(user) by user
It should actually not matter what you put inside the latest()...