Hi, I wonder whether someone could help me please.
I'm trying to create a query which identifies inactive users over the last 12 months (time period selected by 'time picker').
I found the following query which returns a list of current user accounts which works:
|rest /services/authentication/users splunk_server=local
|fields realname
|rename realname as user
|table user
I then found a query as shown below which displays the last time a user logged on, which again works.
index=_audit action="login attempt"
|stats max(timestamp) by user
So I've tried to amalgamate these so that only the users which appear in the first query but not in the second will be reported and I cam up with the following:
|rest /services/authentication/users splunk_server=local
|fields realname
|rename realname as user
|eval user1="Y"
|table user user1
|join type=outer user[search index=_audit action="login attempt"
|stats max(timestamp) by user
|eval user2="Y"
|where user1 = "Y" AND user2 != "Y"
|table user]
The problem I have is that the list returned shows all the users irrespective of whether they have logged on in the last year.
I just wondered whether someone may be able to look at this please and let me know where I've gone wrong.
Many thanks and kind regards
Chris
↧