How to list my splunk admin users list and last lo...

RASHO123 · ‎10-05-2017

I have a about 250 Admin users and I would like to to know when was the last time each of them have logged in. Is there a query that I can use

yannK · ‎10-05-2017

This search will look at all the login attempts , but does not contains roles informations.
to get the role /user mapping you need a rest call search.

Remarks :
- remember that they may be more than one role per user
- understand that if a role inherit from the role admin, you will not see it in the list.

index=_audit "action=login attempt" | stats first(_time) AS last_login first(info) AS last_detail by host user | convert ctime(last_login)

So you can add a join after to get the list of roles for each user.

  index=_audit "action=login attempt" | stats first(_time) AS last_login first(info) AS last_detail by host user | convert ctime(last_login) 
  | join user [ |rest /services/authentication/users | fields title roles  |rename title AS user ]

If you want to filter ahead only for members of the admin role, you can try this prefilter condition

 [ |rest /services/authentication/users | fields title roles  |rename title AS user | mvexpand roles |rename roles as role | where role="admin" ] 
index=_audit "action=login attempt" | stats first(_time) AS last_login first(info) AS last_detail by host user 
| convert ctime(last_login) 
| join user [ |rest /services/authentication/users | fields title roles  |rename title AS user ]

How to list my splunk admin users list and last login details.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms