I have a requirement from a client that need us to have the ability to audit user logins in a time period of 180 days. The goal is to search for user accounts that have not logged into a particular system in 180 days and then disable those accounts. I think I found the correct syntax below, however based on how I wrote my syntax, Sumologic has a limit of search up to 40 days max. Can you please help me with providing suggestions on how to change my syntax or how to get data older than 40 days?
In addition to my query using 180d, I changed the time period field to: "-180d". -40d works, but anything higher doesn't.
Here is my Query: _sourceCategory="kubernetes/system" and "[org.keycloak.events]"
| json field=_raw "CONTAINER_NAME"
| where %CONTAINER_NAME matches "k8s_keycloak*"
| parse "type=*," as type
| parse "clientId=*," as clientID
| parse "realmId=*," as realmID
| parse "ipAddress=*," as ipAddress
| parse "auth_method=*," as method
| parse "username=*," as username
| json field=_raw "timestamp" as timestamp
| formatDate(toLong(timestamp), "yyyy/MM/dd HH:mm:ss:SSS") as messagetime
| where type="LOGIN"
| count by username
| compare timeshift 180d
| where isNull(_count)
Please sign in to leave a comment.