Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Successful dormant user logins

saurabh_tek
Communicator
‎10-08-2016 08:02 AM

hello I am trying to write a query for Successful dormant user logins
whereas the user has successfully logged in today but in last 30 days there was no activity done by this same user.

Here is my query - (which needs refinement)

index=wineventlog EventCode=4624 user!="$" earliest= @d latest = now()| transaction user [search EventCode!=4624 user!="$" earliest=-2d latest=@d] | table _time, user

if anyone can help in getting this refined and do what is needed, that would be great help.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2016 01:03 PM

Perhaps this will help. The idea is to look at the last 30 days of successful logins and find the users that have signed in only once and that login was today.

index=wineventlog EventCode=4624 user!="$" earliest= -30d@d | stats count(_time) as Logins latest(_time) as LastLogin by user | where Logins=1 AND LastLogin>relative_time(now(),"@d") | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

saurabh_tek
Communicator
‎10-11-2016 01:52 PM

Thanks for prompt support.
With earliest 30 days, it takes way too much time and showing lot of users with 1 logins, i dont think these many users accessing their dormant a/cs in our environment.

0 Karma
Reply

saurabh_tek
Communicator
‎10-08-2016 12:10 PM

okay. I have optimized it a little bit apparently ..

index=wineventlog EventCode=4624 user!=\"$\" earliest= @d latest = now() | transaction user maxspan=60d search (EventCode!=)

looking for more suggestions.. to get this working what is intended

0 Karma
Reply

saurabh_tek
Communicator
‎10-08-2016 12:09 PM

okay. I have optimized it a little bit apparently ..

index=wineventlog EventCode=4624 user!="$" earliest= @d latest = now() | transaction user maxspan=60d search (EventCode!=)

looking for more suggestions.. to get this working what is intended

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...