Re: How to add column of last login date/time for ...

dmcavoy · ‎07-31-2014

How can I add a column for my below search that displays a result for the Target_Account_Name's last login date/ time?

index=windows_sec "EventCode=630" OR "EventCode=4726" | eval "Time and Date"=strftime(_time, "%H:%M %Y/%m/%d") | table "Time and Date" "Target_Account_Name" "Caller_Domain" "ComputerName" "Caller_User_Name" | rename "Target_Account_Name" as "Username" "Caller_Domain" as "Domain" "ComputerName" as "Computer Name" "Caller_User_Name" as "Deleted By"

somesoni2 · ‎08-01-2014

Try something like this

index=windows_sec "EventCode=630" OR "EventCode=4726" "EventCode=528" OR "EventCode=4624"
| stats first(<<Field from "EventCode=528" OR "EventCode=4624" which have last login date>>) as last_login_date, first(<<other rqquired fields from  "EventCode=630" OR "EventCode=4726">> ... by Target_Account_Name

Assuming that Target_Account_Name is the common user name field for all these event codes.

dmcavoy · ‎08-01-2014

Yeah both those event codes do have logs. Am I going to have to perform a join query for this then? I specifically need event code 630 and 4726 as they are event codes for deleted windows accounts.

somesoni2 · ‎07-31-2014

Does your logs contain entries with "EventCode=528" OR "EventCode=4624" ?? These entries contains successful login details and you can use those entries to get your last login date/time.

How to add column of last login date/time for Target users?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability