topic Re: Search for inactive users in my application in Splunk Search

Search for inactive users in my application

will_paxata — Fri, 01 May 2015 16:59:57 GMT

I am using Splunk to monitor my application and would like to know what users have been inactive of the last X days.

I have a user lookup with userId and username. I think I can accomplish this search using "inputlookup myuserlookup | search NOT", but I got stuck.

I would really appreciate any advice figuring out the syntax. (I'm still a noob at this.)

To clarify, I am interested in users of my application, not of the Splunk application. The entire list of users are in the lookup file I have uploaded.

Re: Search for inactive users in my application

Yasaswy — Fri, 01 May 2015 19:46:03 GMT

Hi.. user activity will be available in audit. One way to do what you want would be to

List all users who have logged in in your interested time period
Dedup them with the users who have actually logged in (this will eliminate the all users who have logged in)

Logged in users will be available in audit entries. Assuming you named you field as users in your lookuptable. Something in the line of below might help (for eg past 3 Days)

index=_audit earliest=-3d@d latest=@d action="login attempt" info=succeeded|stats values(user) as user|fields user|inputlookup append=t myuserlookup | dedup user

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Dedup

Re: Search for inactive users in my application

will_paxata — Fri, 01 May 2015 22:53:19 GMT

To clarify, I am interested in users of my application, not of the Splunk application. The entire list of users are in the lookup file I have uploaded.

Re: Search for inactive users in my application

Yasaswy — Mon, 04 May 2015 17:02:41 GMT

Ah.. then you might not need a lookup. If you have the users setup right in splunk something like below might work:

index=_audit action="login attempt" info="succeeded" earliest=-7d@d latest=-3d@d NOT [search index=_audit action="login attempt" info="succeeded" earliest=-3d@d | dedup user | fields user ]|join user [| rest /services/authentication/users splunk_server=local| search defaultApp=yourapp_here|fields title defaultApp|rename title as user ]|fields user defaultApp

this should give you the users who have not logged in for past 3 days out of all users who have logged in in the past 7 days... you change the time period to fit your requirements.

Re: Search for inactive users in my application

will_paxata — Mon, 28 Sep 2020 19:57:13 GMT

The solution is to 1) create an intermediate file of ACTIVE users, then 2) do a lookup between the list of ALL users and ACTIVE USERS to get the INACTIVE users.

0) Have a list of all users uploaded to Splunk called "all-users"

1) Run this search to create the intermediate file named weekly_active_users.csv:
* | stats dc(userid) as "loggedin" by userid | outputlookup weekly_active_users.csv

2) Run this search to see the INACTIVE users:
| inputlookup "all-users" | lookup weekly_active_users.csv userid as userid | where isnull(loggedin)