Re: Windows Last Logon against a .csv file

WPDITSec · ‎11-08-2017

I am trying to search for a list of users Last Logon to Windows through SPLUNK... for an individual user I use the search

USERNAME logon eventtype=windows_logon_success |table User_time

However, I am trying to do this for around 300 users.. is there a way to do this on bulk by importing a lookup .csv file and getting the search to look at the username & export a new list with the last logon date populated?

Any help would be great

Thanks

jkat54 · ‎11-08-2017

Why not do it like this:

 logon eventtype=windows_logon_success User_time=* |stats latest(User_time) by userName

Where userName is whatever the userName field is in your data. No need for a lookup if I’m following your question correctly.

gcusello · ‎11-08-2017

Hi WPDITSec,
you have to create a lookup with the user_names list, possibly using as column name the same name of the field in your logs (e.g. USERNAME ).
After you could run a search like this:

index=wineventlog eventtype=windows_logon_success [ | inputlookup user_name.csv | fields USERNAME ]
| stats latest(_time) AS last_logon_time BY USERNAME

you have only to define the time period of your search (e.g. last week)

Put attention to the case of USERNAME: if you have the dubt that there could be differences between upper and lower case, you have to modify the above search (it's slower!)

index=wineventlog eventtype=windows_logon_success 
| eval USERNAME=upper(USERNAME)
[ | inputlookup user_name.csv | eval USERNAME=upper(USERNAME) | fields USERNAME ]
| stats latest(_time) AS last_logon_time BY USERNAME

Bye.
Giuseppe

Windows Last Logon against a .csv file

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...