@satiku
(I am answering based on the translation provided by https://translate.google.com/.)
In the following examples, replace index=sfdc with your Salesforce index. If you are using Splunk Add-on for Salesforce, authentication events have tag=authentication.
Search for users who logged in two weeks ago but have not logged in during the last week:
index=sfdc tag=authentication user=* action=success earliest=-2w latest=-1w NOT [ search index=sfdc tag=authentication user=* action=success earliest=-1w latest=now | stats latest(_time) as _time by user | table user ]
I do not know what a locked user looks like in Salesforce logs, but if we assume login failures lead to locked users, we can look for failures for multiple users from the same source:
index=sfdc tag=authentication user=* action=failure
| eventstats dc(user) as user_count by src
| where user_count>1
These examples can be adapted to use the Authentication data model as well, but you would want to filter by the app field or another field specific to Salesforce.
