Solved: Users who have never logged in.

sanju005ind · ‎02-04-2011

How do i find users who have never logged in.I have the total list of users available in a lookup file.

Ron_Naken · ‎02-04-2011

Using Gerald's example, you could do this:

| inputcsv allusers.csv | search NOT [ search index=_internal (sourcetype=splunk_web_access OR sourcetype=splunkd_access) | fields user | dedup user ]

Your allusers.csv would look like this:

user
bob
jim

The first line (i.e. "user" in this example) is the field name. It's easiest to stick with "user", since this is the field in _internal.

View solution in original post

Ron_Naken · ‎02-04-2011

Using Gerald's example, you could do this:

| inputcsv allusers.csv | search NOT [ search index=_internal (sourcetype=splunk_web_access OR sourcetype=splunkd_access) | fields user | dedup user ]

Your allusers.csv would look like this:

user
bob
jim

The first line (i.e. "user" in this example) is the field name. It's easiest to stick with "user", since this is the field in _internal.

gkanapathy · ‎02-04-2011

In general, it would be something like:

| inputlookup useridlist | search NOT [ search sourcetype=loginactivity | fields userid ]

sanju005ind · ‎02-04-2011

Is there no other way of checking if a user has not logged into splunk other then eliminating by checking those who logged in.I mean in the inner search how far back in time should I check to determine if a user has never logged in.

Oranges · ‎02-04-2011

Users who have not logged into what?

sanju005ind · ‎02-04-2011

Login to Splunk.

Users who have never logged in.

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...