https://community.splunk.com/t5/Splunk-Search/Inactive-Users/m-p/372005#M109454 <P>@williamdicker - Did the answer provided by naidusadanala help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!</P> Wed, 17 May 2017 02:57:31 GMT aaraneta_splunk 2017-05-17T02:57:31Z https://community.splunk.com/t5/Splunk-Search/Inactive-Users/m-p/372001#M109450 <P>Hello Splunk, </P> <P>I am attempting to write a query that searches Splunk for any users that have not logged in for the past 60 days. This is a compliance requirement and all query's are not working. </P> <P>Our login sourcetype is sam:xml</P> <P>My latest search resulted in zero events: </P> <P>index=_internal source=*web_service.log action=login status=success | eval last_login_time=_time | eval current_time=now() | eval time_since_last_login_secs=current_time-last_login_time | where time_since_last_login_secs &gt; 2592000 | table user</P> Tue, 29 Sep 2020 14:00:43 GMT https://community.splunk.com/t5/Splunk-Search/Inactive-Users/m-p/372001#M109450 williamdicker 2020-09-29T14:00:43Z https://community.splunk.com/t5/Splunk-Search/Inactive-Users/m-p/372002#M109451 <P>Try this</P> <P>index=_audit action="login attempt" info=succeeded |stats max(timestamp) as last_login_time by user | eval last_login_time = strptime('last_login_time', "%m-%d-%Y %H:%M:%S")<BR /> | eval current_time=now() | eval time_since_last_login_secs=current_time-last_login_time | where time_since_last_login_secs &gt; 2592000 | table user</P> Tue, 29 Sep 2020 14:00:50 GMT https://community.splunk.com/t5/Splunk-Search/Inactive-Users/m-p/372002#M109451 naidusadanala 2020-09-29T14:00:50Z https://community.splunk.com/t5/Splunk-Search/Inactive-Users/m-p/372003#M109452 <P>very good here!<BR /> for 60 days change 2592000 (this is 30 days) to 5184000</P> Wed, 10 May 2017 16:19:31 GMT https://community.splunk.com/t5/Splunk-Search/Inactive-Users/m-p/372003#M109452 adonio 2017-05-10T16:19:31Z https://community.splunk.com/t5/Splunk-Search/Inactive-Users/m-p/372004#M109453 <P>You are right</P> Wed, 10 May 2017 16:28:03 GMT https://community.splunk.com/t5/Splunk-Search/Inactive-Users/m-p/372004#M109453 naidusadanala 2017-05-10T16:28:03Z https://community.splunk.com/t5/Splunk-Search/Inactive-Users/m-p/372005#M109454 <P>@williamdicker - Did the answer provided by naidusadanala help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!</P> Wed, 17 May 2017 02:57:31 GMT https://community.splunk.com/t5/Splunk-Search/Inactive-Users/m-p/372005#M109454 aaraneta_splunk 2017-05-17T02:57:31Z