Splunk Search

search query - Lack of account activity for more than 3 months.

Aleksey_18
New Member

search query - Lack of account activity for more than 3 months.
There is a directory with the accounts that you need to drive through the activity from the connection for three months.
How can I make such a search ?

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You're best off creating a lookup containing all seen users, and frequently update last-seen timestamps with recent data.
Enterprise Security already has such a user tracker, the Security Essentials app might also - not sure, do check it out: https://splunkbase.splunk.com/app/3435/
Lacking that, here's a guide how to build such stateful lookups: https://www.splunk.com/blog/2011/01/11/maintaining-state-of-the-union.html

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...