I'm looking for a query to see my splunk users that havent logged into splunk in x days.
Currently looking at this query:
| rest /services/authentication/users splunk_server=local |eval c_time=strftime(last_successful_login,"%m/%d/%y %H:%M:%S") | table title roles last_successful_login c_time
However this shows me all users where I only want to see those that havent logged in in x days.
Any assistance is appreciated
This may help..
| rest /services/authentication/users splunk_server=local
| search NOT
[ search index=_internal sourcetype=splunkd_ui_access status=200 *authentication*
| dedup user
| table user
| rename user as title ]