Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to join searches to search for inactive Splunk users?

michaelnorup
Communicator
‎02-16-2023 03:25 AM

So i am trying to get a list of inactive splunk users. 
I have first tried just grabbing a list of all the users with the last login older than 6 months, but that gives me a list of users that has already been deleted in splunk, like this:

 

index=_audit action="login attempt" | where strptime('timestamp',"%m-%d-%Y %H:%M:%S")<relative_time(now(),"-6mon") | stats latest(timestamp) by user

 

 

Then i tried joining it with a list of the current users from the rest api like this:

 

| rest /services/authentication/users splunk_server=local 
| fields realname, title
| rename title as user
| join user type=left [
 search index=_audit action="login attempt" | where strptime('timestamp',"%m-%d-%Y %H:%M:%S")<relative_time(now(),"-6mon") | stats latest(timestamp) by user
]

 

This doesnt work and just outputs a list of current users.
What i want:
List of current splunk users with last login attempt older than 6 months with realname username, last login time.

I have tried this solution from javiergn, but i cannot get last login time on that
https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-to-identify-inactive-users-ove...

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-16-2023 04:51 AM

Hi @michaelnorup,

Since action field is enriched by Splunk you cannot search with action="login attempt". Also you can just use _time field for timerange.

Please try below;

| rest /services/authentication/users splunk_server=local 
| table realname, title 
| rename title as user 
| join user type=left 
    [ search index=_audit TERM(action=login) attempt ( TERM(info=succeeded) OR TERM(info=failed) ) action IN ("success","failure") earliest=-6mon 
    | stats latest(_time) as last_login_time by user 
    | convert ctime(last_login_time)]

 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

michaelnorup
Communicator
‎02-20-2023 11:12 PM

Hi unfortunately this still shows users that have logged in within the last couple of days.
They dont show the same amount of users, but still "active"  ones
It also only shows real name and username. Would like it to show time aswell

*EDIT

So i have changed it to this

| rest /services/authentication/users splunk_server=local
| fields realname, title, last_successful_login type
| rename title as user
| fillnull value=- 
| where last_successful_login<relative_time(now(),"-6mon") OR last_successful_login="-"
| convert ctime(last_successful_login)

But unfortunately all LDAP users have an empty "last_successful_login" field =(
Do you have a way to change that?

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...