Hello! I have a lookup table with fields 'name' and 'last_login'. I'm trying to find users who haven't logged in the past 30 days.
Originally, I had this:
| inputlookup Users.csv
| where strptime('last_login',"%m/%d/%Y %H:%M:%S") < relative_time(now(),"-30d@d") OR isnull(last_login)
| sort last_login desc
However, it is only outputting users that logged in 30+ days ago. I would like to exclude users who are still logging in recently (in those 30 days). Thank you! Any help would be greatly appreciated!
What is the issue here - assuming your lookup is up to date, the search will do what you are asking for. Or is it that your lookup is not up to date and you want to check more recent events which are not in the lookup?
The lookup is updated with recent login events. This query pulled users who logged in 30 days ago, including users who are still logging in recently. I would like to exclude those users. I would like users whose last login was 30 days ago, so permissions can be removed!
Try something like this
| inputlookup Users.csv
| eval last_login = strptime('last_login',"%m/%d/%Y %H:%M:%S")
| sort 0 last_login desc
| stats first(last_login) as last_login by user
| where last_login < relative_time(now(),"-30d@d")
Hmm.. Not working..