Splunk Search

Users who have never logged in.

sanju005ind
Communicator

How do i find users who have never logged in.I have the total list of users available in a lookup file.

Tags (1)
1 Solution

Ron_Naken
Splunk Employee
Splunk Employee

Using Gerald's example, you could do this:

| inputcsv allusers.csv | search NOT [ search index=_internal (sourcetype=splunk_web_access OR sourcetype=splunkd_access) | fields user | dedup user ]

Your allusers.csv would look like this:

user
bob
jim

The first line (i.e. "user" in this example) is the field name. It's easiest to stick with "user", since this is the field in _internal.

View solution in original post

Ron_Naken
Splunk Employee
Splunk Employee

Using Gerald's example, you could do this:

| inputcsv allusers.csv | search NOT [ search index=_internal (sourcetype=splunk_web_access OR sourcetype=splunkd_access) | fields user | dedup user ]

Your allusers.csv would look like this:

user
bob
jim

The first line (i.e. "user" in this example) is the field name. It's easiest to stick with "user", since this is the field in _internal.

gkanapathy
Splunk Employee
Splunk Employee

In general, it would be something like:

| inputlookup useridlist | search NOT [ search sourcetype=loginactivity | fields userid ]

sanju005ind
Communicator

Is there no other way of checking if a user has not logged into splunk other then eliminating by checking those who logged in.I mean in the inner search how far back in time should I check to determine if a user has never logged in.

0 Karma

Oranges
Explorer

Users who have not logged into what?

sanju005ind
Communicator

Login to Splunk.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...