For Audit purposes, I need to write a query to find out all the users who has not logged in last 90 days in the datapower servers so that we can identify them and remove their access. I have the query to find out all the user have logged in 90 days and then manually remove the one's who haven't. But we are looking to fully do an automated query that tells us who hasn't logged in.
This is the event that logs when a user is successfully logged in
user(xxxxx): [abc.10.hsc.120]: User logged into 'environment'.
Query I am using to find who has logged in
index=datapower environment=* "user logged into" NOT svc | eval Time=strftime(_time, "%H:%M:%S") | eval Date=strftime(_time, "%Y-%m-%d")|dedup UserID| stats count by UserID, environment, Date, Time
Need help to write something which will tell me who has not logged in.
... View more