Background: as part of our account management auditing, I'd like to schedule a weekly report that shows me user accounts that haven't logged in over the last 14 days. I currently have this search: index=wineventlog EventCode=4624 user="*-c" | fields user EventCode index src_dns | table _time user host src_dns | stats max(_time) as last by src_dns user | stats max(last) as "Last Login" last(src_dns) as "Source Workstation" by user | convert ctime("Last Login") | sort "Last Login" | rename user as User This search displays users by their latest login, but how can I filter it further to show those whose latest login was over 14 days ago? Thanks! ... View more

We have two search heads. One of them is a deployment server containing mostly apps and the other is dedicated to Enterprise Security/other security stuff. On the dedicated ES server, we just upgraded from v5.1 to 5.2 and are being presented with the following message : "Installer was unable to start. Error in 'essinstall' command: (InstallException) Install cannot continue because some apps are managed via a deployment server:...." and then lists a handful of apps from the deployment server. On the deployment server/other apps server, we received this message: "Unable to initialize modular input "ess_content_importer" defined inside the app "SplunkEnterpriseSecuritySuite": Introspecting scheme=ess_content_importer: script running failed (exited with code 1)." Any ideas on how to resolve this? Thank you in advance! ... View more