Splunk Search

Inactive Users

williamdicker
New Member

Hello Splunk,

I am attempting to write a query that searches Splunk for any users that have not logged in for the past 60 days. This is a compliance requirement and all query's are not working.

Our login sourcetype is sam:xml

My latest search resulted in zero events:

index=_internal source=*web_service.log action=login status=success | eval last_login_time=_time | eval current_time=now() | eval time_since_last_login_secs=current_time-last_login_time | where time_since_last_login_secs > 2592000 | table user

Tags (3)
0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@williamdicker - Did the answer provided by naidusadanala help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

naidusadanala
Communicator

Try this

index=_audit action="login attempt" info=succeeded |stats max(timestamp) as last_login_time by user | eval last_login_time = strptime('last_login_time', "%m-%d-%Y %H:%M:%S")
| eval current_time=now() | eval time_since_last_login_secs=current_time-last_login_time | where time_since_last_login_secs > 2592000 | table user

adonio
Ultra Champion

very good here!
for 60 days change 2592000 (this is 30 days) to 5184000

0 Karma

naidusadanala
Communicator

You are right

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...