topic How to get which User not logged into Splunk in Dashboards & Visualizations

How to get which User not logged into Splunk

harishsplunk7 — Sat, 28 Sep 2024 17:59:35 GMT

I want to show which User not logged into Splunk for last 30 or 90days in splunk

For example: we have 300 user have access to splunk UI, I want to know who is not logged into splunk more than 7 days

Below query will show who has logged into splunk, but i wanted to show the who is not logged and last login time information.

Re: How to get which User not logged into Splunk

richgalloway — Mon, 23 Sep 2024 20:56:07 GMT

Finding something that is not there is not Splunk's strong suit. See this blog entry for a good write-up on it.

https://www.duanewaddle.com/proving-a-negative/

In this case, what you have just needs a little tweaking.

Re: How to get which User not logged into Splunk

Jawahir — Mon, 23 Sep 2024 20:38:46 GMT

Try this:

| rest /services/authentication/users
| rename title as user
| table user realname roles email
| join type=left user 
[search index=_audit sourcetype=audittrail action=success AND info=succeeded
| stats max(_time) as last_login_time by user
| where last_login_time > relative_time(now(), "-7d")
| table user last_login_time ]
| where isnull(last_login_time) OR last_login_time < relative_time(now(), "-7d")

------

If you find this solution helpful, please consider accepting it and awarding karma points !!

Re: How to get which User not logged into Splunk

harishsplunk7 — Tue, 24 Sep 2024 13:59:20 GMT

thank you for your response, I have tried your query but not getting the user not logged in for last 7 days 30d or 90d. By selecting the time range it should automatically show the result which user not logged into splunk web UI. For example we have 100 account in user list, only 10 users are actively login in, remaining user need to identify the when they last logged into splunk.

Re: How to get which User not logged into Splunk

harishsplunk7 — Tue, 24 Sep 2024 14:00:14 GMT

thank you for your response, I have tried your query but not getting the user not logged in for last 7 days 30d or 90d. it showing total 0,i need to show by selecting the time range it should automatically show the result which user not logged into splunk web UI. For example we have 100 account in user list, only 10 users are actively login in, remaining user need to identify the when they last logged into splunk.

Re: How to get which User not logged into Splunk

isoutamo — Sat, 28 Sep 2024 14:23:43 GMT

Hi
I think that you need a separate lookup file, which contains all users, which have capability to login into splunk. If user hasn't ever logged in, then (depending how you have configured your users like splunk user, LDAP user, SSO users) it's quite probably that you haven't those names on your system. For that reason rest cannot return those to you.

You need just replace that subquery [|rest....] on @richgalloway 's answer with inputlookup query for those user accounts.

r. Ismo

Re: How to get which User not logged into Splunk

Jawahir — Sat, 28 Sep 2024 19:15:53 GMT

@harishsplunk7 I hope this search will help you ..

| rest /services/authentication/users splunk_server=local
| table title, realname, last_successful_login
| rename title AS username | addinfo
| eval status=if(last_successful_login>info_min_time,"User logged in during the selected time range","User Not logged in during the selected time range")
| convert ctime(*_login) ctime(*_time)|fields - *_time, info_sid

------