Look for lines like these in /var/log/auth.log:
Aug 24 20:10:01 bolo CRON[46362]: pam_unix(cron:session): session closed for user root
Aug 24 20:12:00 bolo sshd[46950]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Across whatever timeframe is appropriate
from User warren – Stack Overflow https://stackoverflow.com/questions/73478817/splunk-how-to-get-the-last-logins-on-the-host-that-triggered-an-event/73478963#73478963
via IFTTT