https://community.splunk.com/t5/Splunk-Search/Identifying-stale-computers-on-network/m-p/575134#M200408 <P>Assuming that&nbsp;Computers.csv contains a field called "host" and&nbsp;Dont_search.csv contains "user".</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="python">source=WinEventLog:Security 4624 EventCode=4624 [| inputlookup Computers.csv | table host] earliest=-1d@d | fields host user | lookup Dont_search.csv user OUTPUT user AS filtered_user | search NOT filtered_user=* | stats max(_time) AS last_logon_time first(user) AS user BY host | eval days_since_logon=ROUND((now()-last_logon_time)/86400, 2) | eval last_logon_date=strftime(last_logon_time, "%Y-%m-%d") | table host user days_since_logon last_logon_date | append [| inputlookup Computers.csv | table host] | dedup host | fillnull value="-" | table host user days_since_logon last_logon_date</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Includes domain field which should be more useful.&nbsp;</P><P>&nbsp;</P><LI-CODE lang="python">source=WinEventLog:Security 4624 EventCode=4624 [| inputlookup Computers.csv | table host] earliest=-1d@d | fields host user Account_Domain Security_ID | lookup Dont_search.csv user OUTPUT user AS filtered_user | search NOT filtered_user=* | eval domain=mvindex(Account_Domain, 1) | eval logon_id=mvindex(Security_ID, 1) | search NOT domain="* *" | where host!=domain | table _time host logon_id domain user | stats max(_time) AS last_logon_time first(logon_id) AS logon_id first(domain) AS domain first(user) AS user BY host | eval days_since_logon=ROUND((now()-last_logon_time)/86400, 2) | eval last_logon_date=strftime(last_logon_time, "%Y-%m-%d") | table host domain user logon_id days_since_logon last_logon_date | append [| inputlookup Computers.csv | table host] | dedup host | table host domain user logon_id days_since_logon last_logon_date</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 16 Nov 2021 20:13:43 GMT johnhuang 2021-11-16T20:13:43Z https://community.splunk.com/t5/Splunk-Search/Identifying-stale-computers-on-network/m-p/575028#M200378 <P>I am looking to identify specific assets that have not been logged into in over a set time. I am fairly new to all of this and trying to learn in a more hands on way. I was wondering what would be the best way to accomplish this?</P><P>I was thinking something like this but I don't think this is right:</P><P>EventCode=4624 AND [|inputlookup append=t Computers.csv] NOT [inputlookup append=t Dont_search.csv] | dedup host | table _time,host,user | sort host</P><P>Computers.csv - Specific computers that I want to track.</P><P>Dont_search.csv - Accounts that I DO NOT want to track.&nbsp;</P><P>I am hoping to show all computers on my list regardless of whether they were logged in too. Any help would be greatly appreciated!!!</P> Tue, 16 Nov 2021 12:12:16 GMT https://community.splunk.com/t5/Splunk-Search/Identifying-stale-computers-on-network/m-p/575028#M200378 Durwood 2021-11-16T12:12:16Z https://community.splunk.com/t5/Splunk-Search/Identifying-stale-computers-on-network/m-p/575050#M200381 <P>Finding something that is not there is not Splunk's strong suit.&nbsp; See this blog entry for a good write-up on it.<BR /><BR /><A href="https://www.duanewaddle.com/proving-a-negative/" target="_blank">https://www.duanewaddle.com/proving-a-negative/</A></P> Tue, 16 Nov 2021 13:57:57 GMT https://community.splunk.com/t5/Splunk-Search/Identifying-stale-computers-on-network/m-p/575050#M200381 richgalloway 2021-11-16T13:57:57Z https://community.splunk.com/t5/Splunk-Search/Identifying-stale-computers-on-network/m-p/575057#M200383 <P>There are two issues with your search.</P><P>1. Your subsearches must return properly named columns. Are you sure that you don't need to do some "| rename"?</P><P>2. With subsearches provided this way you only add further conditions to your search. You will still not get any results if there are no events matching the condition set.</P><P>If you want to find which hosts didn't send anything, you'd have to append "fake" results from a pre-defined set of hosts, and then - for example - sum them with your found events. Then you'd see which results have zero ocurrences.</P><P>A rough idea:</P><PRE>&lt;your search&gt; | stats count by Computername<BR />| append [ | inputlookup myhosts.csv | eval count=0 ]<BR />| stats sum(count) by Computername</PRE> Tue, 16 Nov 2021 14:19:34 GMT https://community.splunk.com/t5/Splunk-Search/Identifying-stale-computers-on-network/m-p/575057#M200383 PickleRick 2021-11-16T14:19:34Z https://community.splunk.com/t5/Splunk-Search/Identifying-stale-computers-on-network/m-p/575134#M200408 <P>Assuming that&nbsp;Computers.csv contains a field called "host" and&nbsp;Dont_search.csv contains "user".</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="python">source=WinEventLog:Security 4624 EventCode=4624 [| inputlookup Computers.csv | table host] earliest=-1d@d | fields host user | lookup Dont_search.csv user OUTPUT user AS filtered_user | search NOT filtered_user=* | stats max(_time) AS last_logon_time first(user) AS user BY host | eval days_since_logon=ROUND((now()-last_logon_time)/86400, 2) | eval last_logon_date=strftime(last_logon_time, "%Y-%m-%d") | table host user days_since_logon last_logon_date | append [| inputlookup Computers.csv | table host] | dedup host | fillnull value="-" | table host user days_since_logon last_logon_date</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Includes domain field which should be more useful.&nbsp;</P><P>&nbsp;</P><LI-CODE lang="python">source=WinEventLog:Security 4624 EventCode=4624 [| inputlookup Computers.csv | table host] earliest=-1d@d | fields host user Account_Domain Security_ID | lookup Dont_search.csv user OUTPUT user AS filtered_user | search NOT filtered_user=* | eval domain=mvindex(Account_Domain, 1) | eval logon_id=mvindex(Security_ID, 1) | search NOT domain="* *" | where host!=domain | table _time host logon_id domain user | stats max(_time) AS last_logon_time first(logon_id) AS logon_id first(domain) AS domain first(user) AS user BY host | eval days_since_logon=ROUND((now()-last_logon_time)/86400, 2) | eval last_logon_date=strftime(last_logon_time, "%Y-%m-%d") | table host domain user logon_id days_since_logon last_logon_date | append [| inputlookup Computers.csv | table host] | dedup host | table host domain user logon_id days_since_logon last_logon_date</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 16 Nov 2021 20:13:43 GMT https://community.splunk.com/t5/Splunk-Search/Identifying-stale-computers-on-network/m-p/575134#M200408 johnhuang 2021-11-16T20:13:43Z https://community.splunk.com/t5/Splunk-Search/Identifying-stale-computers-on-network/m-p/575138#M200410 <P>BTW, if your goal is to show real user logons to an interactive session, you should further filter the logon_type. For example:</P><P>&nbsp;</P><LI-CODE lang="python">source=WinEventLog:Security 4624 (EventCode=4624 AND (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11)) [| inputlookup Computers.csv | table host] earliest=-1d@d</LI-CODE><P>&nbsp;</P> Tue, 16 Nov 2021 20:20:13 GMT https://community.splunk.com/t5/Splunk-Search/Identifying-stale-computers-on-network/m-p/575138#M200410 johnhuang 2021-11-16T20:20:13Z https://community.splunk.com/t5/Splunk-Search/Identifying-stale-computers-on-network/m-p/575481#M200537 <P>Thank you for the response! I am still having issues with the search excluding the users in the user column of my "Dont_Search.csv". Any ideas? I am very new to the Splunk game so apologies if I am asking something that is a bit elementary.&nbsp;</P> Thu, 18 Nov 2021 16:05:25 GMT https://community.splunk.com/t5/Splunk-Search/Identifying-stale-computers-on-network/m-p/575481#M200537 Durwood 2021-11-18T16:05:25Z https://community.splunk.com/t5/Splunk-Search/Identifying-stale-computers-on-network/m-p/575565#M200561 <P>Could you provide a sample of the search output and also&nbsp;<SPAN>Dont_Search.csv?</SPAN></P> Thu, 18 Nov 2021 23:02:02 GMT https://community.splunk.com/t5/Splunk-Search/Identifying-stale-computers-on-network/m-p/575565#M200561 johnhuang 2021-11-18T23:02:02Z