Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find KOs owned by inactive users?

whitecat001
Explorer
‎05-02-2024 06:35 AM

pls whats the better way to create a search query for identifying knowledge object from inactive users and cleaning it up.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2024 05:48 AM

Here's a query that will find most KOs owned by inactive users.  You may want to enhance it to also look for lookups.  Of course, change the '90' to whatever value you deem to be 'inactive'.

| rest splunk_server=local /servicesNS/-/-/admin/directory | fields title eai:acl.app eai:acl.owner eai:type eai:acl.sharing
| rename eai:acl.* as *
| where (owner!="nobody" AND owner!="admin")
| search [| rest splunk_server = local /servicesNS/-/-/admin/users
| fields title last_successful_login
| eval lastLogin = if(isnull(last_successful_login) OR last_successful_login=0,"never", strftime(last_successful_login, "%c"))
| eval idleDays = round((now()-last_successful_login)/86400,0)
| where (idleDays > 90 OR lastLogin = "never")
| fields title
| rename title as owner | format]
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

marnall
Motivator
‎05-02-2024 12:25 PM

You can list the users using the REST API, then sort them by the number of days since last successful login:

 

| rest /services/authentication/users splunk_server=local
| table title email type last_successful_login
| eval days_since_last_login = round((now() - last_successful_login)/86400,1)
| sort - days_since_last_login

 


Then for each one, you can use the various REST apis for knowledge objects, listed at https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTaccess

e.g. for field extractions:

 

| rest /services/data/props/extractions splunk_server=local
| search eai:acl.owner = "<nameofinactiveuser>"
| table attribute author eai:acl.app eai:acl.owner stanza title updated type value

 

Unfortunately there is no endpoint for "all knowledge objects", so you'll have to REST call for each separate type.
EDIT: nvm richgalloway found one

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...