Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Dashboard Query to Monitor Inactive Accounts

Rosie2287
Explorer
‎04-04-2024 08:02 AM

Is there a query I can add to my splunk dashboard that will list accounts inactive over 35 days?

Labels (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-04-2024 08:15 AM

Hi @Rosie2287,

if you want to list the accounts used in the last 90 days that weren't used in the last 35 days, you could run something like this:

I could be more detailes knowing which kind of logs yu want to monitor, are they Windows?

in this case I use index=wineventlog and EventCode=4624.

index=wineventlog EventCode=4624 earliest=-90d latest=now
| eval period=if(_time>now()-35*86400,"Last","Previous")
| stats dc(period) AS period_count values(period) AS period BY Account_name
| where period_count=1 AND period="Previous"
| table Account_name

Ciao.

Giuseppe

 

Reply

Rosie2287
Explorer
‎04-04-2024 08:31 AM

Thank you for this but I am not sure if it will work for my set up since logs are deleted weekly.  These are windows events.

Do you have a query that may identify all enabled accounts and when their last login date was?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-04-2024 08:46 AM

If the information has been deleted, Splunk can't report on it.

0 Karma
Reply

Rosie2287
Explorer
‎04-04-2024 08:48 AM

Our splunk server keeps the logs for a lot longer.  Sorry I was unclear.  

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...