Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search for Inactive Account Activity?

Jay1234
Explorer
‎08-03-2022 04:03 AM

I am trying to change the Inactive Account Activity Detected search, so the search reads, the time range of more than 365 days ago (Instead of less than 90 days ago) and greater than 2 hours ago.  Every time I add a great than symbol or change 90 days I get an error message in splunk

Can anyone change this search so it reads that its looking for inactive accounts of over 365 days ago which have just been logged into today.

| `inactive_account_usage("90","2")` | `ctime(lastTime)` | fields + user,tag,inactiveDays,lastTime

 

Labels (3)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2022 07:01 AM

What error message do you get?  What is the exact SPL you've tried?

Bear in mind the first command of the query is a macro so any change to the arguments must be syntactically correct when the macro is expanded.  Type CTRL-Shift-e to have Splunk expand the macros for you.

---
If this reply helps you, Karma would be appreciated.
Reply

Jay1234
Explorer
‎08-03-2022 07:40 AM

At present the search is look at events under 12 months and I want it to look for events after 12 months.
So anything I put before the brackets, i.e greater than > ("12mo","1") comes up with a error message

For example:
| `inactive_account_usage| where count =>12mo ("12mo","1")` | `ctime(lastTime)` | fields + user,tag,inactiveDays,lastTime

Error message says:
Error in 'SearchParser': The name 'inactive_account_usage|where count =>12mo ' is invalid. Macro and argument names might only include alphanumerics, '_' and '-'.

When expanding the string I get:
| inputlookup append=T access_tracker where lastTime_user>=1659530054.000000
| stats min(firstTime) as firstTime,values(second2lastTime) as second2lastTime,values(lastTime) as lastTime_vals,max(lastTime) as lastTime by user
| eval "second2lastTime"=mvdedup(mvappend('second2lastTime',NULL,'lastTime_vals')),"second2lastTime"=if(mvcount('lastTime')=1 AND mvcount('second2lastTime')>1 AND 'second2lastTime'='lastTime',split(ltrim(replace("|".mvjoin('second2lastTime',"|"),"\|".'lastTime',""),"|"), "|"),'second2lastTime'),"second2lastTime"=max('second2lastTime'),inactiveDays=round((lastTime-second2lastTime)/86400,2),_time=lastTime
| search inactiveDays>=12mo
| lookup update=true identity_lookup_expanded identity as user OUTPUTNEW _key as user_identity_id,bunit as user_bunit,category as user_category,email as user_email,endDate as user_endDate,first as user_first,identity as user_identity,identity_tag as user_identity_tag,jobTitle as user_jobTitle,last as user_last,managedBy as user_managedBy,nick as user_nick,phone as user_phone,prefix as user_prefix,priority as user_priority,startDate as user_startDate,suffix as user_suffix,userPrincipalName as user_userPrincipalName,watchlist as user_watchlist,work_city as user_work_city,work_country as user_work_country,work_lat as user_work_lat,work_long as user_work_long
| lookup identity_lookup_default_fields key as user OUTPUTNEW watchlist as user_watchlist
| eval "tag"=mvdedup(mvappend('tag',NULL,'user_identity_tag')),"user_startDate"=case(isnum('user_startDate'),'user_startDate',isnum(strptime('user_startDate',"%m/%d/%Y %H:%M")),strptime('user_startDate',"%m/%d/%Y %H:%M"),isnum(strptime('user_startDate',"%m/%d/%y %H:%M")),strptime('user_startDate',"%m/%d/%y %H:%M"),1=1,'user_startDate'),"user_endDate"=case(isnum('user_endDate'),'user_endDate',isnum(strptime('user_endDate',"%m/%d/%Y %H:%M")),strptime('user_endDate',"%m/%d/%Y %H:%M"),isnum(strptime('user_endDate',"%m/%d/%y %H:%M")),strptime('user_endDate',"%m/%d/%y %H:%M"),1=1,'user_endDate')
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime)
| fields + user,tag,inactiveDays,lastTime

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...