Re: find users who hasnt logged in the past 30 day...

iiix94 · ‎10-07-2021

Hello! I have a lookup table with fields 'name' and 'last_login'. I'm trying to find users who haven't logged in the past 30 days.
Originally, I had this:

| inputlookup Users.csv
| where strptime('last_login',"%m/%d/%Y %H:%M:%S") < relative_time(now(),"-30d@d") OR isnull(last_login)
| sort last_login desc

However, it is only outputting users that logged in 30+ days ago. I would like to exclude users who are still logging in recently (in those 30 days). Thank you! Any help would be greatly appreciated!

ITWhisperer · ‎10-07-2021

What is the issue here - assuming your lookup is up to date, the search will do what you are asking for. Or is it that your lookup is not up to date and you want to check more recent events which are not in the lookup?

iiix94 · ‎10-07-2021

The lookup is updated with recent login events. This query pulled users who logged in 30 days ago, including users who are still logging in recently. I would like to exclude those users. I would like users whose last login was 30 days ago, so permissions can be removed!

ITWhisperer · ‎10-07-2021

Try something like this

| inputlookup Users.csv
| eval last_login = strptime('last_login',"%m/%d/%Y %H:%M:%S")
| sort 0 last_login desc
| stats first(last_login) as last_login by user
| where last_login < relative_time(now(),"-30d@d")

iiix94 · ‎10-07-2021

Hmm.. Not working..

find users who hasnt logged in the past 30 days

fields

lookup

stats

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services