hello there,
the comment above by @jdhunter is very valid imho,
now it is time to ask yourself, how would i know an employee is terminated?
where can i get this data? many times from HR db, sometimes from ticketing systems as IT closing email account or something. however, relaying on IT (only from my experience) to know who was terminated is not ideal.
now that you have the data, how will you correlate it to login events, windows / nix / vpn / etc ...?
different data will have different field names for user maybe Account_Name or username or other fields name.
first, you will probably want to normalize all the fields so you can capture the most in one single search.
the CIM (Common Information Model) is a great tool to help you accomplish that, read here:
http://docs.splunk.com/Documentation/CIM/4.11.0/User/Overview
otherwise, you can use field aliases for example, read here: https://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Addaliasestofields
second, you would like to have a list, lookup, with names of all terminated employees.
finally, build a search that will look for all user logins and match the usernames to your lookup of terminated personal
hope it helps
... View more