Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to join searches to search for inactive Splunk users?

michaelnorup
Communicator
‎02-16-2023 03:25 AM

So i am trying to get a list of inactive splunk users. 
I have first tried just grabbing a list of all the users with the last login older than 6 months, but that gives me a list of users that has already been deleted in splunk, like this:

 

index=_audit action="login attempt" | where strptime('timestamp',"%m-%d-%Y %H:%M:%S")<relative_time(now(),"-6mon") | stats latest(timestamp) by user

 

 

Then i tried joining it with a list of the current users from the rest api like this:

 

| rest /services/authentication/users splunk_server=local 
| fields realname, title
| rename title as user
| join user type=left [
 search index=_audit action="login attempt" | where strptime('timestamp',"%m-%d-%Y %H:%M:%S")<relative_time(now(),"-6mon") | stats latest(timestamp) by user
]

 

This doesnt work and just outputs a list of current users.
What i want:
List of current splunk users with last login attempt older than 6 months with realname username, last login time.

I have tried this solution from javiergn, but i cannot get last login time on that
https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-to-identify-inactive-users-ove...

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-16-2023 04:51 AM

Hi @michaelnorup,

Since action field is enriched by Splunk you cannot search with action="login attempt". Also you can just use _time field for timerange.

Please try below;

| rest /services/authentication/users splunk_server=local 
| table realname, title 
| rename title as user 
| join user type=left 
    [ search index=_audit TERM(action=login) attempt ( TERM(info=succeeded) OR TERM(info=failed) ) action IN ("success","failure") earliest=-6mon 
    | stats latest(_time) as last_login_time by user 
    | convert ctime(last_login_time)]

 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

michaelnorup
Communicator
‎02-20-2023 11:12 PM

Hi unfortunately this still shows users that have logged in within the last couple of days.
They dont show the same amount of users, but still "active"  ones
It also only shows real name and username. Would like it to show time aswell

*EDIT

So i have changed it to this

| rest /services/authentication/users splunk_server=local
| fields realname, title, last_successful_login type
| rename title as user
| fillnull value=- 
| where last_successful_login<relative_time(now(),"-6mon") OR last_successful_login="-"
| convert ctime(last_successful_login)

But unfortunately all LDAP users have an empty "last_successful_login" field =(
Do you have a way to change that?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...