Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need user logon events for 12 months

pratapa
Explorer
‎03-12-2020 11:48 PM

Hi,

Following query displays user logon events for the last 10 days. We need user logon events for the last 12 months. How can this be achieved.

index=main sourcetype=WinEventLog (EventCode=4624 OR EventCode=4634) user=pratapa.ln
| eval day=strftime(_time,"%d/%m/%Y") | stats earliest(_time) AS earliest latest(_time) AS latest by user host day
| eval earliest=strftime(earliest,"%d/%m/%Y %H.%M.%S"), latest=strftime(latest,"%d/%m/%Y %H.%M.%S")

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-13-2020 03:45 AM

Hi @pratapa,
you can use the Time Picke,r setting as option "Relative Time" and choosing "Last 12 months".
Otherwise, you can add to you main search earliest=-12mon.

Obviously it will be a very slow search that I suggest to put in background to avoid that it will go in timeout.
When it will be finished, you can resume it in Activities; in addition you can configure an email sending at the end.

Ciao.
Giuseppe

0 Karma
Reply

pratapa
Explorer
‎03-23-2020 08:35 AM

Thanks for your response.

We incorporated earliest=-12mon in the query. But still It is displaying logon events for the last 10 days.

index=main sourcetype=WinEventLog (EventCode=4624 OR EventCode=4634) user=pratapa.ln earliest=-12mon
| eval day=strftime(_time,"%d/%m/%Y") | stats earliest(_time) AS earliest latest(_time) AS latest by user host day
| eval earliest=strftime(earliest,"%d/%m/%Y %H.%M.%S"), latest=strftime(latest,"%d/%m/%Y %H.%M.%S")

User wants the data to be retained for 12 months. To achieve this, we have created a new index with the name "retention" with the following parameters.

[retention]
coldPath = $SPLUNK_DB/retention/colddb
homePath = $SPLUNK_DB/retention/db
thawedPath = $SPLUNK_DB/retention/thaweddb
maxDataSize = 150
maxHotSpanSecs = 86400
maxTotalDataSizeMB = 54000
frozenTimePeriodInSecs = 31104000

How can we modify the query to retain the logon events for 12 months.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...