I'm trying to pull a list of the last time User Accounts logged. The part I need help on is the following.I'm looking for a finite list of User Accounts. This list is pulled from a csv file that was loaded.
Then from that list I'm looking at all of the successful logons from an index and I just want the time/User Account of the last logon from that user.
index=security "An account was successfully logged on." [search index=randomlogs host=useraccountlist | table UsrAcctName | fields + UsrAcctName]
I got the subsearch down but how do I use the results returned from the subsearch in my outer search to pull the _time and UsrAcctName?
The UsrAcctName I use in the inner search is called Account_Name in the search in the security index. So do I need to define this somewhere?
Any help would be appreciated.
Hi Phynyte,
this is un-tested, but you can try something like this:
index=security "An account was successfully logged on." [ search index=randomlogs host=useraccountlist | rename UsrAcctName AS Account_Name | return Account_Name ]
_time will be returned from your events from the outer search.
hope this helps ...
cheers, MuS
Hi Phynyte,
this is un-tested, but you can try something like this:
index=security "An account was successfully logged on." [ search index=randomlogs host=useraccountlist | rename UsrAcctName AS Account_Name | return Account_Name ]
_time will be returned from your events from the outer search.
hope this helps ...
cheers, MuS