topic How to get a list of concurrent Splunk users on a Search Head? in Splunk Search

How to get a list of concurrent Splunk users on a Search Head?

dm1 — Wed, 22 Sep 2021 01:41:24 GMT

Re: How to get a list of concurrent Splunk users on a Search Head?

danielcj — Wed, 22 Sep 2021 04:20:09 GMT

Hello,

Not sure if I understand correctly your question.

Do you want to get the list of all the users created on a Search Head?

You can use the following search if you want to list all the users created:

| rest /services/authentication/users | table title

If you want to list the count of distinct active users you can use the following search:

(index=_audit info=completed action=search user!="splunk-system-user") | stats dc(user) as "Distinct Users"

Re: How to get a list of concurrent Splunk users on a Search Head?

PickleRick — Wed, 22 Sep 2021 06:00:51 GMT

I suppose OP wants a lis of active logged in sessions on a particular SH.

You can get that (and the query used to populate the table) in the monitoring console -> search -> activity (or something like that)

Re: How to get a list of concurrent Splunk users on a Search Head?

dm1 — Wed, 22 Sep 2021 06:24:43 GMT

Yes, thats right.

I am workinng on sizing Splunk instances in AWS to migrate our current on-prem platform to AWS and was referring this guide It mentions about concurrent Splunk users. Hence, why I am trying to figure out where/how I can find that info.

I checked where you mentioned, but it mainly shows concurrent searches, not users.

Re: How to get a list of concurrent Splunk users on a Search Head?

PickleRick — Wed, 22 Sep 2021 09:59:45 GMT

That's correct. I was writing from memory. Apparently it fooled me 😉

You should be able to get list of searches from _internal index and check how many users issued those searches during some time. That's one of possible approaches.

Re: How to get a list of concurrent Splunk users on a Search Head?

isoutamo — Wed, 22 Sep 2021 10:16:37 GMT

I'm afraid that you cannot get exact numbers of concurrent users in any particular time from splunk. You could try to get some information about it to look those searches etc. from audit trail, but it never told that concurrent user amount. Fortunately you don't need that for sizing your AWS splunk environment 😉

More important information is concurrent searches than users. And that you can see from MC. On MC you also see how well your current environment is working with current load. Of course there are many things what you must check, but one which you must check is MC -> Searches -> Scheduler Activity. That tolds to you how much you need cores etc. to fulfil your current needs. Look Skipped and Deferred items there.

r. Ismo