Security

splunk users expire after x days of inactivity

scheckenbachb
Explorer

Hi,
is it possible to set an "expire after x days of inactivity" for Splunk's own built-in system users? The Manager GUI in V 5.0.1 dosen't offer this.

Regards, Bernhard

Tags (1)
0 Karma

Damien_Dallimor
Ultra Champion

You could do this using a scheduled script(cron / windows scheduled task) that communicates to SplunkD via the Splunk REST API.
The script could execute a search(via the REST API) to determine the last time each user logged in, and calculate which users have been inactive for x days.In the following example, 2592000 seconds is 30 days

index=_internal source=*web_service.log action=login status=success | eval last_login_time=_time |  eval current_time=now() | eval time_since_last_login_secs=current_time-last_login_time | where time_since_last_login_secs > 2592000 | table user

And then remove the users(via the REST API) that are returned in the search results.
We have several language SDKs that sit atop the REST API to make this development easier.

You could also do this using the Splunk CLI.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...