Splunk Search

How to add column of last login date/time for Target users?

dmcavoy
New Member

How can I add a column for my below search that displays a result for the Target_Account_Name's last login date/ time?

index=windows_sec "EventCode=630" OR "EventCode=4726" | eval "Time and Date"=strftime(_time, "%H:%M %Y/%m/%d") | table "Time and Date" "Target_Account_Name" "Caller_Domain" "ComputerName" "Caller_User_Name" | rename "Target_Account_Name" as "Username" "Caller_Domain" as "Domain" "ComputerName" as "Computer Name" "Caller_User_Name" as "Deleted By"

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this

index=windows_sec "EventCode=630" OR "EventCode=4726" "EventCode=528" OR "EventCode=4624"
| stats first(<<Field from "EventCode=528" OR "EventCode=4624" which have last login date>>) as last_login_date, first(<<other rqquired fields from  "EventCode=630" OR "EventCode=4726">> ... by Target_Account_Name

Assuming that Target_Account_Name is the common user name field for all these event codes.

0 Karma

dmcavoy
New Member

Yeah both those event codes do have logs. Am I going to have to perform a join query for this then? I specifically need event code 630 and 4726 as they are event codes for deleted windows accounts.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Does your logs contain entries with "EventCode=528" OR "EventCode=4624" ?? These entries contains successful login details and you can use those entries to get your last login date/time.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...