Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

unused Vms/PCs

pawelsh
New Member
‎06-14-2013 11:21 AM

Hello,

If I wanted to find certain machines (virtual or not) that have no been logged into BY ANYONE in, lets say, the past 30 days, could you assist with a query/statement?

Or the easiest method to use finding workstations or VM's we can remove based on no logins in the past X amount of days...

thanks in advance,

Patrick

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-14-2013 02:49 PM

So you want to search the logs for something that is not there. That is inherently problematic.
In essence you'll have to search through your logs for the last 30 days, and identify the systems that were used. Then you'll have to search through all the rest of your logs and make note of any system that is not part of the result set from the first search. Those would be the systems you really want to find.

One way to do that is through a subsearch;

sourcetype=your_sourcetype latest=-30@d NOT [sourcetype=your_sourcetype earliest=-30@d | dedup field_identifying_VM_or_PC | fields + field_identifying_VM_or_PC]

Another - far more efficient way, is if you have a trustworthy asset-list that can be used as a lookup, since that would eliminate the outer part of the search above;

| inputlookup your_asset_file.csv | search NOT [sourcetype=your_sourcetype earliest=-30@d | dedup field_identifying_VM_or_PC | fields + field_identifying_VM_or_PC]

If you don't have an asset list, it might be useful to build one, with Splunk that is - especially if you are going to run this search on a regular basis. A good description of how to build state tables (which a list of currently active servers can be seen as) can be found here;

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

The idea is to;

  • read the list from disk as search results
  • search for new data (hostnames) and append them to the results
  • dedup the results
  • write out the new file to disk

Once you have this going, you could have a scheduled daily search that only has to go through a single days worth of data.

What sort of data DO you have?

/k

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...