Solved: How to get list of users not logged in for more th...

spodda01da · ‎01-24-2019

Hi All,

I am trying to create a list of users who have not logged in Domain Controller for more than 30 days.

Any suggestion will be of great help.

Thanks,

dkeck · ‎01-24-2019

Hi,

if you have addon for Active directory installed you could use ldapsearch command

have a look at this:

https://answers.splunk.com/answers/559930/ldapad-report-on-user-accounts-last-login-date-and.html

View solution in original post

FrankVl · ‎01-24-2019

Assuming you already have the relevant login events in Splunk:

Something like this should work:

...search to get to the successful login events...
| stats latest(_time) as lastTime by user
| eval daysAgo = (now()-lastTime)/(24*3600)
| search daysAgo > 30

Only trouble: you will need to run this over a long time period and if you have a big volume of domain controller logs, that may be a bit slow. Accelerated data models could help there.

Alternative would be to somehow import a full list of users from AD, and then filter out those users that show up in last 30 days of login events.

dkeck · ‎01-24-2019

Hi,

if you have addon for Active directory installed you could use ldapsearch command

have a look at this:

https://answers.splunk.com/answers/559930/ldapad-report-on-user-accounts-last-login-date-and.html

nickhills · ‎01-25-2019

Just to highlight...
If you have more than one Domain Controller in your forest/domain you may need to check each DC for the last logon timestamp - sadly, this parameter is not replicated between DCs, so you have to do some legwork to make sure you get all the values from your LDAP environment.

If my comment helps, please give it a thumbs up!

spodda01da · ‎01-25-2019

Thanks, this was helpful !!

FrankVl · ‎01-24-2019

oh, yes, if you can import the last logon date straight from AD that could make things much simpler indeed, good suggestion!

dkeck · ‎01-24-2019

No need to be sarcastic 😉 Since he did not say, if he allready have logs, I wanted to give him a suggestion on where to look. If you had a look at the search in the link, you would know that you can filter with the field lastDate.

FrankVl · ‎01-24-2019

Sarcastic? It was meant as a genuine comment. More of an "I hadn't thought of that", after I submitted my own answer 🙂

dkeck · ‎01-24-2019

Ah ok, please excuse my misinterpretation ^^

I just thought because here was no upvote it could be sarcasm 🙂

spodda01da · ‎01-24-2019

Thanks Guys, I can do with AD but I need to collect the user activity from another app on Splunk...I am trying to combine both in a report.

FrankVl · ‎01-24-2019

@dkeck's suggestion enables you to collect that data from AD into Splunk 🙂

How to get list of users not logged in for more than 30 days in DC

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio