I am attempting to write a query that searches Splunk for any users that have not logged in for the past 60 days. This is a compliance requirement and all query's are not working.
Our login sourcetype is sam:xml
My latest search resulted in zero events:
index=_internal source=*web_service.log action=login status=success | eval last_login_time=_time | eval current_time=now() | eval time_since_last_login_secs=current_time-last_login_time | where time_since_last_login_secs > 2592000 | table user
... View more