Splunk Search
Highlighted

Users who have never logged in.

Communicator

How do i find users who have never logged in.I have the total list of users available in a lookup file.

Tags (1)
Highlighted

Re: Users who have never logged in.

Explorer

Users who have not logged into what?

Highlighted

Re: Users who have never logged in.

Communicator

Login to Splunk.

0 Karma
Highlighted

Re: Users who have never logged in.

Splunk Employee
Splunk Employee

In general, it would be something like:

| inputlookup useridlist | search NOT [ search sourcetype=loginactivity | fields userid ]
Highlighted

Re: Users who have never logged in.

Communicator

Is there no other way of checking if a user has not logged into splunk other then eliminating by checking those who logged in.I mean in the inner search how far back in time should I check to determine if a user has never logged in.

0 Karma
Highlighted

Re: Users who have never logged in.

Splunk Employee
Splunk Employee

Using Gerald's example, you could do this:

| inputcsv allusers.csv | search NOT [ search index=_internal (sourcetype=splunk_web_access OR sourcetype=splunkd_access) | fields user | dedup user ]

Your allusers.csv would look like this:

user
bob
jim

The first line (i.e. "user" in this example) is the field name. It's easiest to stick with "user", since this is the field in _internal.

View solution in original post