How do i find users who have never logged in.I have the total list of users available in a lookup file.
In general, it would be something like:
| inputlookup useridlist | search NOT [ search sourcetype=loginactivity | fields userid ]
Is there no other way of checking if a user has not logged into splunk other then eliminating by checking those who logged in.I mean in the inner search how far back in time should I check to determine if a user has never logged in.
Using Gerald's example, you could do this:
| inputcsv allusers.csv | search NOT [ search index=_internal (sourcetype=splunk_web_access OR sourcetype=splunkd_access) | fields user | dedup user ]
Your allusers.csv would look like this:
user bob jim
The first line (i.e. "user" in this example) is the field name. It's easiest to stick with "user", since this is the field in _internal.