I am attempting to write a query that searches Splunk for any users that have not logged in for the past 60 days. This is a compliance requirement and all query's are not working.
Our login sourcetype is sam:xml
My latest search resulted in zero events:
index=_internal source=*web_service.log action=login status=success | eval last_login_time=_time | eval current_time=now() | eval time_since_last_login_secs=current_time-last_login_time | where time_since_last_login_secs > 2592000 | table user
@williamdicker - Did the answer provided by naidusadanala help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!
index=_audit action="login attempt" info=succeeded |stats max(timestamp) as last_login_time by user | eval last_login_time = strptime('last_login_time', "%m-%d-%Y %H:%M:%S")
| eval current_time=now() | eval time_since_last_login_secs=current_time-last_login_time | where time_since_last_login_secs > 2592000 | table user
very good here!
for 60 days change 2592000 (this is 30 days) to 5184000
You are right