Background: as part of our account management auditing, I'd like to schedule a weekly report that shows me user accounts that haven't logged in over the last 14 days. I currently have this search:
index=wineventlog EventCode=4624 user="*-c"
| fields user EventCode index src_dns
| table _time user host src_dns
| stats max(_time) as last by src_dns user
| stats max(last) as "Last Login" last(src_dns) as "Source Workstation" by user
| convert ctime("Last Login")
| sort "Last Login"
| rename user as User
This search displays users by their latest login, but how can I filter it further to show those whose latest login was over 14 days ago?
... View more
We have two search heads. One of them is a deployment server containing mostly apps and the other is dedicated to Enterprise Security/other security stuff.
On the dedicated ES server, we just upgraded from v5.1 to 5.2 and are being presented with the following message :
"Installer was unable to start. Error in 'essinstall' command: (InstallException) Install cannot continue because some apps are managed via a deployment server:...."
and then lists a handful of apps from the deployment server.
On the deployment server/other apps server, we received this message:
"Unable to initialize modular input "ess_content_importer" defined inside the app "SplunkEnterpriseSecuritySuite": Introspecting scheme=ess_content_importer: script running failed (exited with code 1)."
Any ideas on how to resolve this?
Thank you in advance!
... View more