Splunk search for Successful Splunk logins
Copy
index=_audit action="login*" info=succeeded | dedup user | table user timestamp
This Splunk search will show all successful Splunk logins. The search will show only the most recent login per user. The output will include the name of the user that logged in as well as what time they logged in.