IBM Support

QRadar: User Management: Users who have not logged in to QRadar within a specified period.

Question & Answer


How do you generate a report on all users who have not logged in to the QRadar® console within a specified period?


In User Management, you can view the Last Login for each user when selected.  However, there is no reporting function to satisfy this requirement.


You can compile such a report by using the QRadar® CLI and running a PSQL query on the 'login_attempts' table.
  1. SSH to the QRadar® console's CLI.
  2. Run the following command to set the required specified period in the days variable:
  3. Run the following command, which produces an output file detailing all users who have not logged in to the QRadar® console within the specified period, along with their last login attempt:
    psql -U qradar -c "select distinct on (user_id) login_attempts.*, users.username from login_attempts inner join users on where user_id not in (select user_id from login_attempts where attempt_time > 'now'::date - '$DAYS days'::interval) order by user_id, attempt_time desc;" > /tmp/users_not_logged_in_within_"$DAYS"_days.out
  4. The output file can be found at:

Related Information

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS004434766","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
14 December 2020