Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: chopping up lastlog
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have managed to get our linux hosts' lastlog data in our Splunk> (version 5.0.2, build 149561) easily enough, but what I am trying to accomplish (with any additional app installs, thanks) is "chop up" the lastlog results into a
chart by host, user, ip and date.
I tried at Extract Fields on the results and could NOT get it to recognize a list of 40 names?
20 Most Common and 20 'Random' names either together or separately both return "No regex could be learned. Try providing different examples or restriction."
I tried the actual names from "sample events" and it just barks the same message.
Even the simple names list (Lucy Ricky Fred Ethel) fails.
We have the Splunk_TA_nix installed.
Sample data via splunk shows:
USERNAME FROM LATEST
root xx.xxx.61.95 Jun 5 06:15:58 2013
some_user isp-24-249-207- Jun 4 08:03:29 2013
another_user what.ever Jun 2 13:00:15 2013
Edit: Wed Jun 05, 2013 - 1:01:38 PM EDT
Extracted Fields vs Indexed Fields...so I want to extract the usernames from the output of
sourcetype="lastlog" host="*"
Fri Jun 07, 2013 - 2:22:40 PM EDT
Some progress...
\w+\s+\w+\s+\w+\s+(?P
but this only grabs "root" and one other username
so, still banging away...
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this what you're looking for?:
index=os sourcetype=lastlog|multikv|table host,LATEST,FROM,USERNAME
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this what you're looking for?:
index=os sourcetype=lastlog|multikv|table host,LATEST,FROM,USERNAME
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also found this format to be useful and easy to read.
sourcetype="lastlog" |dedup host| multikv |stats list(USERNAME) AS login_user, list(LATEST) AS login_time by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jj: if glitch's answer solved your problem, please accept his answer by checking the checkbox. thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very close and it gives me so much to work with. I can shape the output further thanks to you and this working example.
sourcetype="lastlog"| multikv|table host,USERNAME,LATEST,FROM | dedup host sortby lastlogin_time | table host,USERNAME,LATEST,FROM
Thank you very much!
John Jones of
cirrhus9.com
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
