Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

report showing when users last logged in to splunk - suspicious of results

vincenp2
New Member
‎12-05-2017 11:48 PM

|rest /services/authentication/users splunk_server=<hostname>
| rename title as user | join type=left user [|search index=_audit | dedup user | convert ctime(_time) as last_login | table user last_login]
| table user,email,last_login

This report brings back a list of users and their email addresses - I am wanting to use this to identify any users who have NOT logged in for more than 70 days, so that potentially their userid can be removed as no longer required. Assumption is that if the last_login field is empty these users have not logged in

I have used a number of date ranges (All, Date-Range(e.g. between 26 September and 6 December), Relative (e.g. last 70 days), but the dates in the last_login field only seem to go as far back a few weeks, when I would have expected to see a spread of dates, going back a long way if using the 'All' option for example

could anyone advise why I am only getting recent dates, or perhaps a better query to obtain the results I need please?

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-06-2017 12:18 AM

Hi @vincenp2,

Can you please try this?

| rest /services/authentication/users splunk_server=<hostname> 
| rename title as user 
| join type=left user 
    [| search index=_audit 
    | dedup user 
    | rename _time as time 
    | table user time] 
| table user,email,time 
| eval diff = now() - time , secsfordays= (70 * 86400)
| where diff > secsfordays

Thanks

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-06-2017 12:18 AM

Hi @vincenp2,

Can you please try this?

| rest /services/authentication/users splunk_server=<hostname> 
| rename title as user 
| join type=left user 
    [| search index=_audit 
    | dedup user 
    | rename _time as time 
    | table user time] 
| table user,email,time 
| eval diff = now() - time , secsfordays= (70 * 86400)
| where diff > secsfordays

Thanks

0 Karma
Reply
Solved! Jump to solution

vincenp2
New Member
‎12-06-2017 01:03 AM

Many thanks - I do seem to get the same results, which perhaps suggests that these are accurate, and it is me that should trust the results 🙂

0 Karma
Reply
Solved! Jump to solution

LeeSart
Explorer
‎12-06-2017 11:42 AM

By default, data in the _audit index is only kept for 30 days. Assuming the rest API gets the data from the same source, this would explain why you're only seeing recent results.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...