Splunk Search

Search for inactive users in my application

Explorer

I am using Splunk to monitor my application and would like to know what users have been inactive of the last X days.

I have a user lookup with userId and username. I think I can accomplish this search using "inputlookup myuserlookup | search NOT", but I got stuck.

I would really appreciate any advice figuring out the syntax. (I'm still a noob at this.)

To clarify, I am interested in users of my application, not of the Splunk application. The entire list of users are in the lookup file I have uploaded.

0 Karma
1 Solution

Explorer

The solution is to 1) create an intermediate file of ACTIVE users, then 2) do a lookup between the list of ALL users and ACTIVE USERS to get the INACTIVE users.

0) Have a list of all users uploaded to Splunk called "all-users"

1) Run this search to create the intermediate file named weeklyactiveusers.csv:
* | stats dc(userid) as "loggedin" by userid | outputlookup weeklyactiveusers.csv

2) Run this search to see the INACTIVE users:
| inputlookup "all-users" | lookup weeklyactiveusers.csv userid as userid | where isnull(loggedin)

View solution in original post

0 Karma

Explorer

The solution is to 1) create an intermediate file of ACTIVE users, then 2) do a lookup between the list of ALL users and ACTIVE USERS to get the INACTIVE users.

0) Have a list of all users uploaded to Splunk called "all-users"

1) Run this search to create the intermediate file named weeklyactiveusers.csv:
* | stats dc(userid) as "loggedin" by userid | outputlookup weeklyactiveusers.csv

2) Run this search to see the INACTIVE users:
| inputlookup "all-users" | lookup weeklyactiveusers.csv userid as userid | where isnull(loggedin)

View solution in original post

0 Karma

Contributor

Hi.. user activity will be available in audit. One way to do what you want would be to

  1. List all users who have logged in in your interested time period
  2. Dedup them with the users who have actually logged in (this will eliminate the all users who have logged in)

Logged in users will be available in audit entries. Assuming you named you field as users in your lookuptable. Something in the line of below might help (for eg past 3 Days)

index=_audit earliest=-3d@d latest=@d action="login attempt" info=succeeded|stats values(user) as user|fields user|inputlookup append=t myuserlookup | dedup user 

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Dedup

0 Karma

Explorer

To clarify, I am interested in users of my application, not of the Splunk application. The entire list of users are in the lookup file I have uploaded.

0 Karma

Contributor

Ah.. then you might not need a lookup. If you have the users setup right in splunk something like below might work:

index=_audit action="login attempt" info="succeeded" earliest=-7d@d latest=-3d@d NOT [search index=_audit action="login attempt" info="succeeded" earliest=-3d@d | dedup user | fields user ]|join user [| rest /services/authentication/users splunk_server=local| search defaultApp=yourapp_here|fields title defaultApp|rename title as user ]|fields user defaultApp

this should give you the users who have not logged in for past 3 days out of all users who have logged in in the past 7 days... you change the time period to fit your requirements.

0 Karma