Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to search for Inactive Account Activity?

Jay1234
Explorer
‎08-03-2022 04:03 AM

I am trying to change the Inactive Account Activity Detected search, so the search reads, the time range of more than 365 days ago (Instead of less than 90 days ago) and greater than 2 hours ago.  Every time I add a great than symbol or change 90 days I get an error message in splunk

Can anyone change this search so it reads that its looking for inactive accounts of over 365 days ago which have just been logged into today.

| `inactive_account_usage("90","2")` | `ctime(lastTime)` | fields + user,tag,inactiveDays,lastTime

 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2022 07:01 AM

What error message do you get?  What is the exact SPL you've tried?

Bear in mind the first command of the query is a macro so any change to the arguments must be syntactically correct when the macro is expanded.  Type CTRL-Shift-e to have Splunk expand the macros for you.

---
If this reply helps you, Karma would be appreciated.
Reply

Jay1234
Explorer
‎08-03-2022 07:40 AM

At present the search is look at events under 12 months and I want it to look for events after 12 months.
So anything I put before the brackets, i.e greater than > ("12mo","1") comes up with a error message

For example:
| `inactive_account_usage| where count =>12mo ("12mo","1")` | `ctime(lastTime)` | fields + user,tag,inactiveDays,lastTime

Error message says:
Error in 'SearchParser': The name 'inactive_account_usage|where count =>12mo ' is invalid. Macro and argument names might only include alphanumerics, '_' and '-'.

When expanding the string I get:
| inputlookup append=T access_tracker where lastTime_user>=1659530054.000000
| stats min(firstTime) as firstTime,values(second2lastTime) as second2lastTime,values(lastTime) as lastTime_vals,max(lastTime) as lastTime by user
| eval "second2lastTime"=mvdedup(mvappend('second2lastTime',NULL,'lastTime_vals')),"second2lastTime"=if(mvcount('lastTime')=1 AND mvcount('second2lastTime')>1 AND 'second2lastTime'='lastTime',split(ltrim(replace("|".mvjoin('second2lastTime',"|"),"\|".'lastTime',""),"|"), "|"),'second2lastTime'),"second2lastTime"=max('second2lastTime'),inactiveDays=round((lastTime-second2lastTime)/86400,2),_time=lastTime
| search inactiveDays>=12mo
| lookup update=true identity_lookup_expanded identity as user OUTPUTNEW _key as user_identity_id,bunit as user_bunit,category as user_category,email as user_email,endDate as user_endDate,first as user_first,identity as user_identity,identity_tag as user_identity_tag,jobTitle as user_jobTitle,last as user_last,managedBy as user_managedBy,nick as user_nick,phone as user_phone,prefix as user_prefix,priority as user_priority,startDate as user_startDate,suffix as user_suffix,userPrincipalName as user_userPrincipalName,watchlist as user_watchlist,work_city as user_work_city,work_country as user_work_country,work_lat as user_work_lat,work_long as user_work_long
| lookup identity_lookup_default_fields key as user OUTPUTNEW watchlist as user_watchlist
| eval "tag"=mvdedup(mvappend('tag',NULL,'user_identity_tag')),"user_startDate"=case(isnum('user_startDate'),'user_startDate',isnum(strptime('user_startDate',"%m/%d/%Y %H:%M")),strptime('user_startDate',"%m/%d/%Y %H:%M"),isnum(strptime('user_startDate',"%m/%d/%y %H:%M")),strptime('user_startDate',"%m/%d/%y %H:%M"),1=1,'user_startDate'),"user_endDate"=case(isnum('user_endDate'),'user_endDate',isnum(strptime('user_endDate',"%m/%d/%Y %H:%M")),strptime('user_endDate',"%m/%d/%Y %H:%M"),isnum(strptime('user_endDate',"%m/%d/%y %H:%M")),strptime('user_endDate',"%m/%d/%y %H:%M"),1=1,'user_endDate')
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime)
| fields + user,tag,inactiveDays,lastTime

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...