Security

How can I search for users that haven't logged into Splunk for 90+ days?

splunker969
Communicator

Any query help Highly appreciated ? Thanks in advance !
lists accounts in Splunk that have not been used (logon) for 90 days or more .

Is splunk automatically delete user after 90 days ?

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi splunker969,
try something like this

index=_audit earliest=-90d latest=now
| stats count BY user
| append [ | rest splunk_server=local /services/authentication/users | rename title AS user | eval count=0 | fields user count ] 
| stats sum(count) AS Total BY user
| where Total=0
| table user 

Anyway Splunk doesn't automatically delete users.

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi splunker969,
try something like this

index=_audit earliest=-90d latest=now
| stats count BY user
| append [ | rest splunk_server=local /services/authentication/users | rename title AS user | eval count=0 | fields user count ] 
| stats sum(count) AS Total BY user
| where Total=0
| table user 

Anyway Splunk doesn't automatically delete users.

Bye.
Giuseppe

View solution in original post

splunker969
Communicator

Thanks @cusello

0 Karma

dbturner18
Loves-to-Learn Lots

What is the | eval count=0| portion for in the rest subsearch?

0 Karma

dbturner18
Loves-to-Learn Lots

From what I can tell it just adds a value to the blank counts so they can be calculated in the stats call?
@gcusello

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi splunker969,
if you don't use count=0, you cannot aggregate and sum results from the main search and the list of all users, so the search doesn't run.
The approach is that you need to have always a value, also when there isn't any result in the main search (that's the problem solved in this way.)

Ciao and next time!
Giuseppe

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.