- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Windows Last Logon
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
i'm trying to make a request to get the last logon for each users in my windows infrastructure;
i have a simple request for now :
host=* EventCode=4624
i can't find a time stamp for events, how do i get event time ?
a second need would be to only keep in report the last "time"
Thanks for comunity advises 😃
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should give you something more along the lines of what you were looking for:
EventCode=4624 | dedup ComputerName | table ComputerName _time
Not exactly what you asked for but to get more useful results you might want to also examine the Account_Name, Security_ID and Logon_Type fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should give you something more along the lines of what you were looking for:
EventCode=4624 | dedup ComputerName | table ComputerName _time
Not exactly what you asked for but to get more useful results you might want to also examine the Account_Name, Security_ID and Logon_Type fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i guess you are right i already red that splunk is not very friendly to non english logs ... i 'll try your workaround
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I read it "Nom du compte " is being passed to the table command as a string and not a field.
If I wasn't getting the fields in the table I wanted I would try something like:
EventCode=4624 sourcetype="WinEventLog:Security" ComputerName!="*$" | dedup ComputerName | table *
which should create a table with all the fields. From that I would identify the columns I wanted to keep and use the filed values after the table command to create the final version.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey, i'm almost getting the report as i want : )
when i extract as a CSV i only get _time field, here is my request :
EventCode=4624 sourcetype="WinEventLog:Security" NOT "Nom du compte "="*$" | dedup "Nom du compte " | table "Nom du compte " _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The _time field is the internal time stamp that Splunk assigns to an event.
This should provide more insight:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usedefaultfields
Good Luck!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That seems to be what i'm looking for : )
what does the "_time" stands for ? it takes a timestamp of field ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe you should take a look on this:
https://apps.splunk.com/app/1448/
I think this App fits for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks i'll check that app 😃
but i still would like to have a request to do that
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
