Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

splunk users expire after x days of inactivity

scheckenbachb
Explorer
‎01-21-2013 08:33 AM

Hi,
is it possible to set an "expire after x days of inactivity" for Splunk's own built-in system users? The Manager GUI in V 5.0.1 dosen't offer this.

Regards, Bernhard

Tags (1)
0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎01-21-2013 05:57 PM

You could do this using a scheduled script(cron / windows scheduled task) that communicates to SplunkD via the Splunk REST API.
The script could execute a search(via the REST API) to determine the last time each user logged in, and calculate which users have been inactive for x days.In the following example, 2592000 seconds is 30 days

index=_internal source=*web_service.log action=login status=success | eval last_login_time=_time |  eval current_time=now() | eval time_since_last_login_secs=current_time-last_login_time | where time_since_last_login_secs > 2592000 | table user

And then remove the users(via the REST API) that are returned in the search results.
We have several language SDKs that sit atop the REST API to make this development easier.

You could also do this using the Splunk CLI.

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...