Splunk Search

Inactive Users

williamdicker
New Member

Hello Splunk,

I am attempting to write a query that searches Splunk for any users that have not logged in for the past 60 days. This is a compliance requirement and all query's are not working.

Our login sourcetype is sam:xml

My latest search resulted in zero events:

index=_internal source=*web_service.log action=login status=success | eval last_login_time=_time | eval current_time=now() | eval time_since_last_login_secs=current_time-last_login_time | where time_since_last_login_secs > 2592000 | table user

Tags (3)
0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@williamdicker - Did the answer provided by naidusadanala help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

naidusadanala
Communicator

Try this

index=_audit action="login attempt" info=succeeded |stats max(timestamp) as last_login_time by user | eval last_login_time = strptime('last_login_time', "%m-%d-%Y %H:%M:%S")
| eval current_time=now() | eval time_since_last_login_secs=current_time-last_login_time | where time_since_last_login_secs > 2592000 | table user

adonio
SplunkTrust
SplunkTrust

very good here!
for 60 days change 2592000 (this is 30 days) to 5184000

0 Karma

naidusadanala
Communicator

You are right

0 Karma