topic Re: search for logins to splunk itself in Getting Data In

search for logins to splunk itself

Sean — Mon, 15 Feb 2010 04:21:04 GMT

I need a search that can show me who is logging into our splunk instance itself. Not monitor logins to systems that are logging to splunk but monitor who is using splunk itself... I am tinkering with something like "index=_internal sourcetype=access_combined" but can't find the actual "login" event.

Re: search for logins to splunk itself

Sean — Mon, 15 Feb 2010 04:52:26 GMT

OK, being kindof stupid, the Search Status dashboard has something like what I am looking for that I can use. One of the panels has "UI activity by user" that can be run separately. Namely: "index="internal" source="/splunkd_access.log" "/services/search/jobs" | kv access-extractions | search uri=/services/search/jobs/* user!="-"| rex (?\d+)ms$ | timechart eval(sum(run_time)/1000) by user" This works for my purposes.

Re: search for logins to splunk itself

gkanapathy — Mon, 15 Feb 2010 10:59:53 GMT

Actually, if you logins to Splunk as opposed the searches submitted, you can also search:

index=_audit action="login attempt" info=succeeded

Re: search for logins to splunk itself

drutstein — Fri, 26 Oct 2018 18:47:23 GMT

You can use this search:

index=_audit sourcetype=audittrail action=success