topic Re: How to find how many users are logged into Splunk and history of all their activities performed in Splunk Web? in Security

How to find how many users are logged into Splunk and history of all their activities performed in Splunk Web?

dhavamanis — Wed, 01 Apr 2015 21:30:20 GMT

Can you please tell us how to find how many users are logged into Splunk and what are all the activities they performed (user activity history like dashboards created, executed searches, created alerts...etc) over the period in Splunk Web UI. Also please tell us, how to find number of logged in users in Splunk Web UI.

Re: How to find how many users are logged into Splunk and history of all their activities performed in Splunk Web?

rsennett_splunk — Thu, 02 Apr 2015 00:01:48 GMT

The Distributed Management Console has some interesting stats on the search activity, but you can turn to the _internal index and use the REST API to gather other info. For instance:

| rest /services/authentication/httpauth-tokens | search (NOT userName="splunk-system-user") searchId="" | table userName splunk_server timeAccessed

This will show you userid's that were authorized during a login process rather than a search (hence the blank searchId) running under a user id.

Here is the rest of REST: http://docs.splunk.com/Documentation/Splunk/6.2.2/RESTREF/RESTprolog

As for looking at what people are doing, you can utilize Splunk's own web access logs:

index=_internal source=*web_access.log* /app/   | rex "GET\s\/[^\/]+\/app\/(?P<app>[^\/]+)\/(?P<view>[^\s|?]+) "  | search app=* view=*| stats count by user app view

There are also a few Apps on splunkbase.splunk.com that might be helpful things to look at and steal from to create your ultimate "Big Brother" app...
X-Ray Splunk Knowledge Objects comes to mind.
https://splunkbase.splunk.com/app/1259/
That's more about who is using what (what eventtypes, macros, savedsearches) to build out their use cases, than what specific activity is happening... but it's a good way to know what to look for in the logs.

Also, if you note the related questions over on the right hand sidebar, you'll probably find other approaches as well.

Re: How to find how many users are logged into Splunk and history of all their activities performed in Splunk Web?

dhavamanis — Thu, 02 Apr 2015 03:15:38 GMT

Thanks, seems provided query giving error for me, can you please provide the working query.

Re: How to find how many users are logged into Splunk and history of all their activities performed in Splunk Web?

mlorch — Mon, 28 Sep 2020 20:20:03 GMT

Just to provide a working example:
index=_internal source=web_access.log /app/ | rex field=_raw "8000\/[^\/]+\/app\/(?P[^\/]+)\/(?P[^\s|?]+)" | search app_name=* view=*| stats count by user app_name view
Works for me.

Re: How to find how many users are logged into Splunk and history of all their activities performed in Splunk Web?

rsennett_splunk — Sun, 30 Jul 2017 21:51:04 GMT

sorry about that. I originally had a non capturing group where the value of 'app' was. I made it a capturing group and now the field 'app' is extracted. the error was because app did not exist. I didn't see your comment...two years ago. apologies.