The following splunk query (with regex) will return a result of users who have successfully authenticated to an OSX machine:
*NOTE* Thanks Bob for pointing this out. The regular expression has now been fixed!
sourcetype=osx_secure | rex “authinternal\sauthenticated\suser\s(?<USER>\S+)” |eval Date=strftime(_time, "%Y/%m/%d") | stats count by USER, host, Date | sort - count
Error in ‘rex’ command: Encountered the following error while compiling the regex ‘authinternal\sauthenticated\suser\s(?\S+)’: Regex: unrecognized character after (? or (?-
Looks like they wanted to extract a USER field so change it to :-
`| rex “authinternal\sauthenticated\suser\s(?\S+)”`
Ahh the website hides some codes. you need a to have this with the spaces removed.
`(?\S+)”`
Grrrrr Lets try this.
| rex “authinternal\sauthenticated\suser\s(?<USER>\S+)”
Thanks Bob! It has been fixed :)