Splunk Search

Users who have never logged in.

sanju005ind
Communicator

How do i find users who have never logged in.I have the total list of users available in a lookup file.

Tags (1)
1 Solution

Ron_Naken
Splunk Employee
Splunk Employee

Using Gerald's example, you could do this:

| inputcsv allusers.csv | search NOT [ search index=_internal (sourcetype=splunk_web_access OR sourcetype=splunkd_access) | fields user | dedup user ]

Your allusers.csv would look like this:

user
bob
jim

The first line (i.e. "user" in this example) is the field name. It's easiest to stick with "user", since this is the field in _internal.

View solution in original post

Ron_Naken
Splunk Employee
Splunk Employee

Using Gerald's example, you could do this:

| inputcsv allusers.csv | search NOT [ search index=_internal (sourcetype=splunk_web_access OR sourcetype=splunkd_access) | fields user | dedup user ]

Your allusers.csv would look like this:

user
bob
jim

The first line (i.e. "user" in this example) is the field name. It's easiest to stick with "user", since this is the field in _internal.

gkanapathy
Splunk Employee
Splunk Employee

In general, it would be something like:

| inputlookup useridlist | search NOT [ search sourcetype=loginactivity | fields userid ]

sanju005ind
Communicator

Is there no other way of checking if a user has not logged into splunk other then eliminating by checking those who logged in.I mean in the inner search how far back in time should I check to determine if a user has never logged in.

0 Karma

Oranges
Explorer

Users who have not logged into what?

sanju005ind
Communicator

Login to Splunk.

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...