Splunk Search

Search for inactive users in my application

will_paxata
Explorer

I am using Splunk to monitor my application and would like to know what users have been inactive of the last X days.

I have a user lookup with userId and username. I think I can accomplish this search using "inputlookup myuserlookup | search NOT", but I got stuck.

I would really appreciate any advice figuring out the syntax. (I'm still a noob at this.)

To clarify, I am interested in users of my application, not of the Splunk application. The entire list of users are in the lookup file I have uploaded.

0 Karma
1 Solution

will_paxata
Explorer

The solution is to 1) create an intermediate file of ACTIVE users, then 2) do a lookup between the list of ALL users and ACTIVE USERS to get the INACTIVE users.

0) Have a list of all users uploaded to Splunk called "all-users"

1) Run this search to create the intermediate file named weekly_active_users.csv:
* | stats dc(userid) as "loggedin" by userid | outputlookup weekly_active_users.csv

2) Run this search to see the INACTIVE users:
| inputlookup "all-users" | lookup weekly_active_users.csv userid as userid | where isnull(loggedin)

View solution in original post

will_paxata
Explorer

The solution is to 1) create an intermediate file of ACTIVE users, then 2) do a lookup between the list of ALL users and ACTIVE USERS to get the INACTIVE users.

0) Have a list of all users uploaded to Splunk called "all-users"

1) Run this search to create the intermediate file named weekly_active_users.csv:
* | stats dc(userid) as "loggedin" by userid | outputlookup weekly_active_users.csv

2) Run this search to see the INACTIVE users:
| inputlookup "all-users" | lookup weekly_active_users.csv userid as userid | where isnull(loggedin)

Yasaswy
Contributor

Hi.. user activity will be available in audit. One way to do what you want would be to

  1. List all users who have logged in in your interested time period
  2. Dedup them with the users who have actually logged in (this will eliminate the all users who have logged in)

Logged in users will be available in audit entries. Assuming you named you field as users in your lookuptable. Something in the line of below might help (for eg past 3 Days)

index=_audit earliest=-3d@d latest=@d action="login attempt" info=succeeded|stats values(user) as user|fields user|inputlookup append=t myuserlookup | dedup user 

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Dedup

0 Karma

will_paxata
Explorer

To clarify, I am interested in users of my application, not of the Splunk application. The entire list of users are in the lookup file I have uploaded.

0 Karma

Yasaswy
Contributor

Ah.. then you might not need a lookup. If you have the users setup right in splunk something like below might work:

index=_audit action="login attempt" info="succeeded" earliest=-7d@d latest=-3d@d NOT [search index=_audit action="login attempt" info="succeeded" earliest=-3d@d | dedup user | fields user ]|join user [| rest /services/authentication/users splunk_server=local| search defaultApp=yourapp_here|fields title defaultApp|rename title as user ]|fields user defaultApp

this should give you the users who have not logged in for past 3 days out of all users who have logged in in the past 7 days... you change the time period to fit your requirements.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...