Looking for a search to see my splunk users that h...

smithke · ‎01-28-2021

I'm looking for a query to see my splunk users that havent logged into splunk in x days.

Currently looking at this query:

| rest /services/authentication/users splunk_server=local |eval c_time=strftime(last_successful_login,"%m/%d/%y %H:%M:%S") | table title roles last_successful_login c_time

However this shows me all users where I only want to see those that havent logged in in x days.

Any assistance is appreciated

saravanan90 · ‎01-28-2021

This may help..

isoutamo · ‎01-28-2021

Hi
Probably this helps you. https://community.splunk.com/t5/Splunk-Search/User-last-login-date/m-p/21766
r. Ismo

GMoney · ‎10-13-2022

I can't say when this stopped working, but as of version 8.2.4 index=_audit no longer utilizes action=login*. Run a "| stats values(action)" and you'll see what I mean.

isoutamo · ‎10-13-2022

At 9.0.1 it gives that actions as earlier

index=_audit action=login* earliest=-4h
| stats count by action

smithke · ‎01-28-2021

Thanks but this did not help.

Looking for a search to see my splunk users that havent logged into splunk in x days?

time

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update