I need to create a search that will look back over the last year and list all users that have not logged into a webserver. I was thinking about running a search that normalized, deduped, and listed all users in a table. Then I wanted to run a search against the table for all users with timestamps older than 30 days. I have the first part working, but not the search against the table. Any help would be appreciated.
sourcetype=webserver audit_event=AUTHN_SUCCESS tag=prod | eval username=lower(username) | dedup username | table _time username | search _time>-30d
Try this
sourcetype=webserver audit_event=AUTHN_SUCCESS tag=prod | eval username=lower(username) | dedup username | table _time username | eval age_days=(now()-_time)/(60*60*24) | where age_days > 30
Try this
sourcetype=webserver audit_event=AUTHN_SUCCESS tag=prod | eval username=lower(username) | dedup username | table _time username | eval age_days=(now()-_time)/(60*60*24) | where age_days > 30
Thanks! This worked for me.