Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

find users who hasnt logged in the past 30 days

iiix94
Loves-to-Learn
‎10-07-2021 10:11 AM

Hello! I have a lookup table with fields 'name' and 'last_login'. I'm trying to find users who haven't logged in the past 30 days. 
Originally, I had this:

 

| inputlookup Users.csv
| where strptime('last_login',"%m/%d/%Y %H:%M:%S") < relative_time(now(),"-30d@d") OR isnull(last_login)
| sort last_login desc

 

However, it is only outputting users that logged in 30+ days ago. I would like to exclude users who are still logging in recently (in those 30 days). Thank you! Any help would be greatly appreciated!

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 10:21 AM

What is the issue here - assuming your lookup is up to date, the search will do what you are asking for. Or is it that your lookup is not up to date and you want to check more recent events which are not in the lookup?

0 Karma
Reply

iiix94
Loves-to-Learn
‎10-07-2021 10:39 AM

The lookup is updated with recent login events. This query pulled users who logged in 30 days ago, including users who are still logging in recently. I would like to exclude those users. I would like users whose last login was 30 days ago, so permissions can be removed!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 11:16 AM

Try something like this

| inputlookup Users.csv
| eval last_login = strptime('last_login',"%m/%d/%Y %H:%M:%S")
| sort 0 last_login desc
| stats first(last_login) as last_login by user
| where last_login < relative_time(now(),"-30d@d")
0 Karma
Reply

iiix94
Loves-to-Learn
‎10-07-2021 12:33 PM

Hmm.. Not working..

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...