https://community.splunk.com/t5/Security/Can-a-Splunk-admin-terminate-a-user-session/m-p/52116#M1724 <P>Is there a better way to do this yet via the web console?</P> <P>We had an issue where someone was on leave and had a Splunk session open which they had configured to refresh every 5 seconds. They have been told not to do this anymore.</P> <P>There was noone on staff over Christmas/New Year who could have performed this ssh command.</P> <P>I would have hoped there should be an easier way?</P> <P>Apart from restarting Splunk that is.</P> Tue, 07 Jan 2014 01:44:00 GMT phoenixdigital 2014-01-07T01:44:00Z https://community.splunk.com/t5/Security/Can-a-Splunk-admin-terminate-a-user-session/m-p/52114#M1722 <P>Can a Splunk admin terminate a user session?</P> Thu, 04 Aug 2022 16:03:17 GMT https://community.splunk.com/t5/Security/Can-a-Splunk-admin-terminate-a-user-session/m-p/52114#M1722 ogdin 2022-08-04T16:03:17Z https://community.splunk.com/t5/Security/Can-a-Splunk-admin-terminate-a-user-session/m-p/52115#M1723 <P>It's not possible via the UI, but it can be done. It's a little tricky though:</P> <P>Find the user's session via a REST endpoint of splunkd:</P> <PRE><CODE><A href="https://localhost:8089/services/authentication/httpauth-tokens" target="test_blank">https://localhost:8089/services/authentication/httpauth-tokens</A> </CODE></PRE> <P>You can see the current session tokens. Find the one of the user you want to kick out and copy the link address of the token. Something like </P> <P><CODE><A href="https://localhost:8089/services/authentication/httpauth-tokens/4b298e3f7c3aa937f114f3657dbd5314" target="test_blank">https://localhost:8089/services/authentication/httpauth-tokens/4b298e3f7c3aa937f114f3657dbd5314</A></CODE></P> <P>And then kill the session by executing the following command on the splunk server:</P> <PRE><CODE>splunk _internal call "https://localhost:8089/services/authentication/httpauth-tokens/4b298e3f7c3aa937f114f3657dbd5314" -method DELETE </CODE></PRE> Thu, 16 Sep 2010 21:02:48 GMT https://community.splunk.com/t5/Security/Can-a-Splunk-admin-terminate-a-user-session/m-p/52115#M1723 ziegfried 2010-09-16T21:02:48Z https://community.splunk.com/t5/Security/Can-a-Splunk-admin-terminate-a-user-session/m-p/52116#M1724 <P>Is there a better way to do this yet via the web console?</P> <P>We had an issue where someone was on leave and had a Splunk session open which they had configured to refresh every 5 seconds. They have been told not to do this anymore.</P> <P>There was noone on staff over Christmas/New Year who could have performed this ssh command.</P> <P>I would have hoped there should be an easier way?</P> <P>Apart from restarting Splunk that is.</P> Tue, 07 Jan 2014 01:44:00 GMT https://community.splunk.com/t5/Security/Can-a-Splunk-admin-terminate-a-user-session/m-p/52116#M1724 phoenixdigital 2014-01-07T01:44:00Z https://community.splunk.com/t5/Security/Can-a-Splunk-admin-terminate-a-user-session/m-p/508104#M11603 <P>run splunk logout ,it will terminate the current session</P> Wed, 08 Jul 2020 14:12:48 GMT https://community.splunk.com/t5/Security/Can-a-Splunk-admin-terminate-a-user-session/m-p/508104#M11603 vin02ptl 2020-07-08T14:12:48Z https://community.splunk.com/t5/Security/Can-a-Splunk-admin-terminate-a-user-session/m-p/544025#M12141 <P>This should be implemented in Splunk GUI <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 16 Mar 2021 16:12:19 GMT https://community.splunk.com/t5/Security/Can-a-Splunk-admin-terminate-a-user-session/m-p/544025#M12141 splunkreal 2021-03-16T16:12:19Z https://community.splunk.com/t5/Security/Can-a-Splunk-admin-terminate-a-user-session/m-p/608295#M16260 <P>Hello,</P><P>this is not accurate, can't find http tokens but user still doing searches.</P><P>Thanks.</P> Thu, 04 Aug 2022 15:54:47 GMT https://community.splunk.com/t5/Security/Can-a-Splunk-admin-terminate-a-user-session/m-p/608295#M16260 splunkreal 2022-08-04T15:54:47Z https://community.splunk.com/t5/Security/Can-a-Splunk-admin-terminate-a-user-session/m-p/608334#M16263 <P>Please differentiate between a user doing "ad hoc" searches via the Web GUI and "saved searches" which will run on a time pattern(CRON) regardless of users current GUI access.</P> Thu, 04 Aug 2022 19:13:24 GMT https://community.splunk.com/t5/Security/Can-a-Splunk-admin-terminate-a-user-session/m-p/608334#M16263 dural_yyz 2022-08-04T19:13:24Z https://community.splunk.com/t5/Security/Can-a-Splunk-admin-terminate-a-user-session/m-p/608396#M16266 <P>Still now difficult to identify where users are connected from except if you search Splunk load balancers / web servers.</P> Fri, 05 Aug 2022 07:08:28 GMT https://community.splunk.com/t5/Security/Can-a-Splunk-admin-terminate-a-user-session/m-p/608396#M16266 splunkreal 2022-08-05T07:08:28Z https://community.splunk.com/t5/Security/Can-a-Splunk-admin-terminate-a-user-session/m-p/608436#M16267 <BLOCKQUOTE><HR /></BLOCKQUOTE><P>&nbsp;</P><LI-CODE lang="markup">index=_audit sourcetype=audittrail action IN ("login attempt" logout) | table _time host user info reason clientip method session​</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>If you add a filter on the user field you can narrow down to specific account.</P><P>- clientip: source IP of connection, obviously NAT could hide the source but that's up to your network layout</P><P>- session: this is the http auth token that other users have already shown how to force delete from the system</P> Fri, 05 Aug 2022 12:33:40 GMT https://community.splunk.com/t5/Security/Can-a-Splunk-admin-terminate-a-user-session/m-p/608436#M16267 dural_yyz 2022-08-05T12:33:40Z