Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

subsearch question

Phynyte
New Member
‎03-11-2014 07:53 AM

I'm trying to pull a list of the last time User Accounts logged. The part I need help on is the following.I'm looking for a finite list of User Accounts. This list is pulled from a csv file that was loaded.

Then from that list I'm looking at all of the successful logons from an index and I just want the time/User Account of the last logon from that user.

index=security "An account was successfully logged on." [search index=randomlogs host=useraccountlist | table UsrAcctName | fields + UsrAcctName]

I got the subsearch down but how do I use the results returned from the subsearch in my outer search to pull the _time and UsrAcctName?

The UsrAcctName I use in the inner search is called Account_Name in the search in the security index. So do I need to define this somewhere?

Any help would be appreciated.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎03-11-2014 08:09 AM

Hi Phynyte,

this is un-tested, but you can try something like this:

index=security "An account was successfully logged on." [ search index=randomlogs host=useraccountlist | rename UsrAcctName AS Account_Name | return Account_Name ]

_time will be returned from your events from the outer search.

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎03-11-2014 08:09 AM

Hi Phynyte,

this is un-tested, but you can try something like this:

index=security "An account was successfully logged on." [ search index=randomlogs host=useraccountlist | rename UsrAcctName AS Account_Name | return Account_Name ]

_time will be returned from your events from the outer search.

hope this helps ...

cheers, MuS

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...