Solved: Re: How do you search users who were not logged in...

ruchijain · ‎02-04-2019

Hi,

I am trying to search for a list of users who have not logged into the Splunk environment in the past 30 days.

Can you please look into the below query and let me know what is not correct in that?

index=_internal sourcetype=splunkd_access | eval length=len(user) | search length>1 | eval Time=strptime(_time,"%Y-%m-%d") | eval Before30days=relative_time(now(),"-30d@d") |where Time

harishalipaka · ‎02-05-2019

hi @ruchijain

try this

index=_internal sourcetype=splunkd_ui_access user!="-"    
 | stats earliest(_time) AS StartTime latest(_time) AS EndTime count by user date_mday    
 | join type=left user         [        
      | rest /services/authentication/users                
      | rex field=id "https:\/\/127.0.0.1:8089\/(\w+\/)+(?<user>\w+)"                
      | rename realname AS Name               
      | fields user 
       ]    
 | search user=*    
 | eval         
      Duration=tostring(EndTime-StartTime,"Duration"),        
      StartTime=strftime(StartTime,"%d/%m/%Y %H.%M.%S"),        
      EndTime=strftime(EndTime,"%d/%m/%Y %H.%M.%S")    
 | sort user
 | table user StartTime EndTime Duration | dedup user

Thanks
Harish

View solution in original post

chandan · ‎02-17-2021

Please check below query guys the best result i have got,

| `inactive_accounts(30)` | eval LastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S.%Q") | sort -_time

happy splunking!!!

harishalipaka · ‎02-05-2019

hi @ruchijain

try this

index=_internal sourcetype=splunkd_ui_access user!="-"    
 | stats earliest(_time) AS StartTime latest(_time) AS EndTime count by user date_mday    
 | join type=left user         [        
      | rest /services/authentication/users                
      | rex field=id "https:\/\/127.0.0.1:8089\/(\w+\/)+(?<user>\w+)"                
      | rename realname AS Name               
      | fields user 
       ]    
 | search user=*    
 | eval         
      Duration=tostring(EndTime-StartTime,"Duration"),        
      StartTime=strftime(StartTime,"%d/%m/%Y %H.%M.%S"),        
      EndTime=strftime(EndTime,"%d/%m/%Y %H.%M.%S")    
 | sort user
 | table user StartTime EndTime Duration | dedup user

Thanks
Harish

ruchijain · ‎02-05-2019

Thanks it gives the whole list....

ruchijain · ‎02-05-2019

This shows only one record with user as "testuser" which is not correct there are many users who have not logged in to the Splunk environment.
Can you please let me know what else can be used.
Or if you can let me know how we can check when each user last logged in with the help of that also we can find who all cannot logged in from past 30 days

chrisyounger · ‎02-04-2019

Here is one way to do it using the audit log

index=_audit splunk_server=local action=search user=* 
| stats latest(_time) as last_search by user 
| append 
    [| rest /services/authentication/users 
    | eval user = title 
    | fields user ] 
| stats last(*) as *
| eval days_since_last_search = round((time() - last_search) / 86400,2)

You should check how far back your audit log goes.

ruchijain · ‎02-05-2019

It only shows one result can you please check and let know.
Or if you cant let know how we can check last when each user login so that this will also provide the details to me.

How do you search users who were not logged in the past 30 days?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio