https://community.splunk.com/t5/Splunk-Search/how-to-inform-the-splunk-users-of-a-maintenance-in-splunk/m-p/155731#M185708 <P>You can post with the Rest endpoint, and an admin user.</P> <BLOCKQUOTE> <P># post maintenance message on a search-head</P> <P>curl -k -u admin:changeme <A href="https://mysplunkinstance.domain.com:8089/services/messages">https://mysplunkinstance.domain.com:8089/services/messages</A> -d severity="warn" -d name=message -d value="This is your Splunk Admin, there will be a maintenance of this instance in 10 minutes -&gt; 15:00 , ETA of 30 minutes -&gt; 15:30, for updates contact me at <A href="mailto:YourFriendlyNeighborhoodAdmin@mydomain.com">YourFriendlyNeighborhoodAdmin@mydomain.com</A>"</P> </BLOCKQUOTE> <P>To the list of the active users, check the SOS dashboard or this search over last hour.</P> <P><CODE><BR /> earliest=-1h index=_internal source="*web_access.log*" <BR /> | rex "\d+\.\d+\.\d+\.\d+ - (?&lt;user&gt;\w+)" <BR /> | fillnull user value="missing"<BR /> | stats first(_time) AS "last_activity" by user<BR /> | convert ctime(last_activity)<BR /> </CODE> </P> Tue, 18 Feb 2014 20:40:30 GMT yannK 2014-02-18T20:40:30Z https://community.splunk.com/t5/Splunk-Search/how-to-inform-the-splunk-users-of-a-maintenance-in-splunk/m-p/155729#M185706 <P>I have to do some maintenances in splunk and want to warn the users that splunk will be down.</P> <UL> <LI>How to get the list of active users logged in ?</LI> <LI>There is a message bar, can I post messages to it ?</LI> </UL> Tue, 18 Feb 2014 20:34:21 GMT https://community.splunk.com/t5/Splunk-Search/how-to-inform-the-splunk-users-of-a-maintenance-in-splunk/m-p/155729#M185706 mataharry 2014-02-18T20:34:21Z https://community.splunk.com/t5/Splunk-Search/how-to-inform-the-splunk-users-of-a-maintenance-in-splunk/m-p/155730#M185707 <P>This should give you currently logged in users. (have some extra parts to get roles of logged in users)</P> <PRE><CODE>| rest /services/authentication/httpauth-tokens | search (NOT userName="splunk-system-user") searchId="" | table userName splunk_server timeAccessed |join type=left userName [| rest /services/authentication/users splunk_server=local |fields title roles realname|rename title as userName|rename realname as Name] |rename userName as User |rename splunk_server as "Splunk Server"|rename timeAccessed as "Time Accessed"|rename roles as Role |table User,"Splunk Server",Name,Role </CODE></PRE> <P>To send a message to all logged in users, go to <BR /> Manager » User interface » Bulletin Messages and add a new bulletin message. Once Maintenance is done delete the message. </P> Tue, 18 Feb 2014 20:40:19 GMT https://community.splunk.com/t5/Splunk-Search/how-to-inform-the-splunk-users-of-a-maintenance-in-splunk/m-p/155730#M185707 somesoni2 2014-02-18T20:40:19Z https://community.splunk.com/t5/Splunk-Search/how-to-inform-the-splunk-users-of-a-maintenance-in-splunk/m-p/155731#M185708 <P>You can post with the Rest endpoint, and an admin user.</P> <BLOCKQUOTE> <P># post maintenance message on a search-head</P> <P>curl -k -u admin:changeme <A href="https://mysplunkinstance.domain.com:8089/services/messages">https://mysplunkinstance.domain.com:8089/services/messages</A> -d severity="warn" -d name=message -d value="This is your Splunk Admin, there will be a maintenance of this instance in 10 minutes -&gt; 15:00 , ETA of 30 minutes -&gt; 15:30, for updates contact me at <A href="mailto:YourFriendlyNeighborhoodAdmin@mydomain.com">YourFriendlyNeighborhoodAdmin@mydomain.com</A>"</P> </BLOCKQUOTE> <P>To the list of the active users, check the SOS dashboard or this search over last hour.</P> <P><CODE><BR /> earliest=-1h index=_internal source="*web_access.log*" <BR /> | rex "\d+\.\d+\.\d+\.\d+ - (?&lt;user&gt;\w+)" <BR /> | fillnull user value="missing"<BR /> | stats first(_time) AS "last_activity" by user<BR /> | convert ctime(last_activity)<BR /> </CODE> </P> Tue, 18 Feb 2014 20:40:30 GMT https://community.splunk.com/t5/Splunk-Search/how-to-inform-the-splunk-users-of-a-maintenance-in-splunk/m-p/155731#M185708 yannK 2014-02-18T20:40:30Z https://community.splunk.com/t5/Splunk-Search/how-to-inform-the-splunk-users-of-a-maintenance-in-splunk/m-p/155732#M185709 <P>nice, I never saw the manager interface.</P> Tue, 18 Feb 2014 20:42:39 GMT https://community.splunk.com/t5/Splunk-Search/how-to-inform-the-splunk-users-of-a-maintenance-in-splunk/m-p/155732#M185709 mataharry 2014-02-18T20:42:39Z https://community.splunk.com/t5/Splunk-Search/how-to-inform-the-splunk-users-of-a-maintenance-in-splunk/m-p/155733#M185710 <P>so the curl command allows to specify the severity.</P> Tue, 18 Feb 2014 20:43:06 GMT https://community.splunk.com/t5/Splunk-Search/how-to-inform-the-splunk-users-of-a-maintenance-in-splunk/m-p/155733#M185710 mataharry 2014-02-18T20:43:06Z