This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

XQL How to get all users that haven't logged in in the past 30 days.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

XQL How to get all users that haven't logged in in the past 30 days.

W.Edmeades
L0 Member

‎09-29-2025 07:38 PM

Hi,

I'm having trouble putting together a query that'll grab me a list of users that haven't logged in within the past 30 days.

So far I've got this, but I'm not even sure if it's the right approach, so I'm just a bit stuck:

dataset = xdr_data // Using the xdr dataset
 | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4624 // Filtering by windows event log and id 4624
 | alter User_Name = arrayindex(regextract(action_evtlog_message,"New Logon:\r\n.*\r\n.*?Account Name:.*?(\w.*?)\r\n"),0) // Using regextract to get just a part of the full event log message into an array, then using arrayindex to take the first item in the array
 | fields User_Name // Select all the fields to show them

| alter lastLoginEpoch = //"last Seen" column value for user
| filter lastLoginEpoch < to_timestamp(add(to_epoch(date_floor(current_time(),"d")),-2592000))

It should theoretically be possible, I just need to grab:

  • a list of login timestamps for all users
  • select the most recent one for each user
  • remove all users who have logged in between "now" & 30 days ago.

Just not sure how to do any of that, even after consulting the documentation.

 

Any help would greatly be appreciated 🙂

0 Likes Likes
1 REPLY 1

eluis
L5 Sessionator

‎10-01-2025 04:36 AM

Hi @W.Edmeades 

 

We do not collect data of things that did not happened (not logged in users). So you can not find things that did not happened on the logs. 

 

It is rather better to look for users that have logged in in the last 30 days. And the ones not found are the ones that did not logged in in the last 30 days. 

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". 

Thank you.

 

KR,

Luis

 

0 Likes Likes
  • 67 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks