Splunk Search

How to search for Inactive Account Activity?

Jay1234
Explorer

I am trying to change the Inactive Account Activity Detected search, so the search reads, the time range of more than 365 days ago (Instead of less than 90 days ago) and greater than 2 hours ago.  Every time I add a great than symbol or change 90 days I get an error message in splunk

Can anyone change this search so it reads that its looking for inactive accounts of over 365 days ago which have just been logged into today.

| `inactive_account_usage("90","2")` | `ctime(lastTime)` | fields + user,tag,inactiveDays,lastTime

 

Labels (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

What error message do you get?  What is the exact SPL you've tried?

Bear in mind the first command of the query is a macro so any change to the arguments must be syntactically correct when the macro is expanded.  Type CTRL-Shift-e to have Splunk expand the macros for you.

---
If this reply helps you, Karma would be appreciated.

Jay1234
Explorer

At present the search is look at events under 12 months and I want it to look for events after 12 months.
So anything I put before the brackets, i.e greater than > ("12mo","1") comes up with a error message

For example:
| `inactive_account_usage| where count =>12mo ("12mo","1")` | `ctime(lastTime)` | fields + user,tag,inactiveDays,lastTime

Error message says:
Error in 'SearchParser': The name 'inactive_account_usage|where count =>12mo ' is invalid. Macro and argument names might only include alphanumerics, '_' and '-'.

When expanding the string I get:
| inputlookup append=T access_tracker where lastTime_user>=1659530054.000000
| stats min(firstTime) as firstTime,values(second2lastTime) as second2lastTime,values(lastTime) as lastTime_vals,max(lastTime) as lastTime by user
| eval "second2lastTime"=mvdedup(mvappend('second2lastTime',NULL,'lastTime_vals')),"second2lastTime"=if(mvcount('lastTime')=1 AND mvcount('second2lastTime')>1 AND 'second2lastTime'='lastTime',split(ltrim(replace("|".mvjoin('second2lastTime',"|"),"\|".'lastTime',""),"|"), "|"),'second2lastTime'),"second2lastTime"=max('second2lastTime'),inactiveDays=round((lastTime-second2lastTime)/86400,2),_time=lastTime
| search inactiveDays>=12mo
| lookup update=true identity_lookup_expanded identity as user OUTPUTNEW _key as user_identity_id,bunit as user_bunit,category as user_category,email as user_email,endDate as user_endDate,first as user_first,identity as user_identity,identity_tag as user_identity_tag,jobTitle as user_jobTitle,last as user_last,managedBy as user_managedBy,nick as user_nick,phone as user_phone,prefix as user_prefix,priority as user_priority,startDate as user_startDate,suffix as user_suffix,userPrincipalName as user_userPrincipalName,watchlist as user_watchlist,work_city as user_work_city,work_country as user_work_country,work_lat as user_work_lat,work_long as user_work_long
| lookup identity_lookup_default_fields key as user OUTPUTNEW watchlist as user_watchlist
| eval "tag"=mvdedup(mvappend('tag',NULL,'user_identity_tag')),"user_startDate"=case(isnum('user_startDate'),'user_startDate',isnum(strptime('user_startDate',"%m/%d/%Y %H:%M")),strptime('user_startDate',"%m/%d/%Y %H:%M"),isnum(strptime('user_startDate',"%m/%d/%y %H:%M")),strptime('user_startDate',"%m/%d/%y %H:%M"),1=1,'user_startDate'),"user_endDate"=case(isnum('user_endDate'),'user_endDate',isnum(strptime('user_endDate',"%m/%d/%Y %H:%M")),strptime('user_endDate',"%m/%d/%Y %H:%M"),isnum(strptime('user_endDate',"%m/%d/%y %H:%M")),strptime('user_endDate',"%m/%d/%y %H:%M"),1=1,'user_endDate')
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime)
| fields + user,tag,inactiveDays,lastTime

0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...