I am using Splunk to monitor my application and would like to know what users have been inactive of the last X days.
I have a user lookup with userId and username. I think I can accomplish this search using "inputlookup myuserlookup | search NOT", but I got stuck.
I would really appreciate any advice figuring out the syntax. (I'm still a noob at this.)
To clarify, I am interested in users of my application, not of the Splunk application. The entire list of users are in the lookup file I have uploaded.
The solution is to 1) create an intermediate file of ACTIVE users, then 2) do a lookup between the list of ALL users and ACTIVE USERS to get the INACTIVE users.
0) Have a list of all users uploaded to Splunk called "all-users"
1) Run this search to create the intermediate file named weekly_active_users.csv:
* | stats dc(userid) as "loggedin" by userid | outputlookup weekly_active_users.csv
2) Run this search to see the INACTIVE users:
| inputlookup "all-users" | lookup weekly_active_users.csv userid as userid | where isnull(loggedin)
The solution is to 1) create an intermediate file of ACTIVE users, then 2) do a lookup between the list of ALL users and ACTIVE USERS to get the INACTIVE users.
0) Have a list of all users uploaded to Splunk called "all-users"
1) Run this search to create the intermediate file named weekly_active_users.csv:
* | stats dc(userid) as "loggedin" by userid | outputlookup weekly_active_users.csv
2) Run this search to see the INACTIVE users:
| inputlookup "all-users" | lookup weekly_active_users.csv userid as userid | where isnull(loggedin)
Hi.. user activity will be available in audit. One way to do what you want would be to
Logged in users will be available in audit entries. Assuming you named you field as users in your lookuptable. Something in the line of below might help (for eg past 3 Days)
index=_audit earliest=-3d@d latest=@d action="login attempt" info=succeeded|stats values(user) as user|fields user|inputlookup append=t myuserlookup | dedup user
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Dedup
To clarify, I am interested in users of my application, not of the Splunk application. The entire list of users are in the lookup file I have uploaded.
Ah.. then you might not need a lookup. If you have the users setup right in splunk something like below might work:
index=_audit action="login attempt" info="succeeded" earliest=-7d@d latest=-3d@d NOT [search index=_audit action="login attempt" info="succeeded" earliest=-3d@d | dedup user | fields user ]|join user [| rest /services/authentication/users splunk_server=local| search defaultApp=yourapp_here|fields title defaultApp|rename title as user ]|fields user defaultApp
this should give you the users who have not logged in for past 3 days out of all users who have logged in in the past 7 days... you change the time period to fit your requirements.