Hello,
If I wanted to find certain machines (virtual or not) that have no been logged into BY ANYONE in, lets say, the past 30 days, could you assist with a query/statement?
Or the easiest method to use finding workstations or VM's we can remove based on no logins in the past X amount of days...
thanks in advance,
Patrick
So you want to search the logs for something that is not there. That is inherently problematic.
In essence you'll have to search through your logs for the last 30 days, and identify the systems that were used. Then you'll have to search through all the rest of your logs and make note of any system that is not part of the result set from the first search. Those would be the systems you really want to find.
One way to do that is through a subsearch;
sourcetype=your_sourcetype latest=-30@d NOT [sourcetype=your_sourcetype earliest=-30@d | dedup field_identifying_VM_or_PC | fields + field_identifying_VM_or_PC]
Another - far more efficient way, is if you have a trustworthy asset-list that can be used as a lookup, since that would eliminate the outer part of the search above;
| inputlookup your_asset_file.csv | search NOT [sourcetype=your_sourcetype earliest=-30@d | dedup field_identifying_VM_or_PC | fields + field_identifying_VM_or_PC]
If you don't have an asset list, it might be useful to build one, with Splunk that is - especially if you are going to run this search on a regular basis. A good description of how to build state tables (which a list of currently active servers can be seen as) can be found here;
http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/
The idea is to;
Once you have this going, you could have a scheduled daily search that only has to go through a single days worth of data.
What sort of data DO you have?
/k