I'm looking for a query to see my splunk users that havent logged into splunk in x days.
Currently looking at this query:
| rest /services/authentication/users splunk_server=local |eval c_time=strftime(last_successful_login,"%m/%d/%y %H:%M:%S") | table title roles last_successful_login c_time
However this shows me all users where I only want to see those that havent logged in in x days.
Any assistance is appreciated
This may help..
| rest /services/authentication/users splunk_server=local
| search NOT
[ search index=_internal sourcetype=splunkd_ui_access status=200 *authentication*
| dedup user
| table user
| rename user as title ]
I can't say when this stopped working, but as of version 8.2.4 index=_audit no longer utilizes action=login*. Run a "| stats values(action)" and you'll see what I mean.
At 9.0.1 it gives that actions as earlier
index=_audit action=login* earliest=-4h
| stats count by action
Thanks but this did not help.