Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

splunk users expire after x days of inactivity

scheckenbachb
Explorer
‎01-21-2013 08:33 AM

Hi,
is it possible to set an "expire after x days of inactivity" for Splunk's own built-in system users? The Manager GUI in V 5.0.1 dosen't offer this.

Regards, Bernhard

Tags (1)
0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎01-21-2013 05:57 PM

You could do this using a scheduled script(cron / windows scheduled task) that communicates to SplunkD via the Splunk REST API.
The script could execute a search(via the REST API) to determine the last time each user logged in, and calculate which users have been inactive for x days.In the following example, 2592000 seconds is 30 days

index=_internal source=*web_service.log action=login status=success | eval last_login_time=_time |  eval current_time=now() | eval time_since_last_login_secs=current_time-last_login_time | where time_since_last_login_secs > 2592000 | table user

And then remove the users(via the REST API) that are returned in the search results.
We have several language SDKs that sit atop the REST API to make this development easier.

You could also do this using the Splunk CLI.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...