topic Re: Users who are logged in right now in Splunk Search

Users who are logged in right now

Ant1D — Mon, 07 Feb 2011 20:54:49 GMT

Hey,

Is there a search that shows all of the users that are logged in to my Splunk instance right now?

I have some searches (via index=_audit) that show which users have logged on successfully but it would be good to be able to see at any time those who are currently logged in using Splunk.

Any help would be much appreciated.

Thanks in advance.

Re: Users who are logged in right now

Brian_Osburn — Mon, 07 Feb 2011 23:46:36 GMT

I use this:

 index=_audit  NOT user="n/a" NOT user="splunk-system-user" NOT "scheduler__nobody__search" | stats max(timestamp) by user

It may not be the best, but it gives me an idea who's in the system and the last action they took. Useful when you need to do stealth restarts in production 🙂

Brian

Re: Users who are logged in right now

Lowell — Tue, 08 Feb 2011 00:08:53 GMT

Another approach, is to look at who is currently authenticated to your splunkd process. This isn't a really a search, but it may give you the info you are looking for.

https://your-splunk-server:8089/services/authentication/httpauth-tokens

Note the "userName" field.

Re: Users who are logged in right now

Ant1D — Mon, 16 Jan 2012 17:27:39 GMT

I forgot about this question. I ended up writing a similar search that does the job

Re: Users who are logged in right now

wrangler2x — Wed, 06 Mar 2013 17:10:03 GMT

The problem with this search is that it shows users who have not logged in -- for example, audit records that track saved searches run for a particular user.

I have not figured out a way to screen those out, because if the action is 'search' you can't use that to screen them because a logged-in user can also have audit records that have that action.

Re: Users who are logged in right now

kurdbahr — Tue, 30 Jul 2013 08:39:26 GMT

You can make it into a search like this:

| rest /services/authentication/httpauth-tokens splunk_server=local | stats max(updated) by userName

Re: Users who are logged in right now

wrangler2x — Mon, 28 Sep 2020 14:28:02 GMT

Very interesting. Looking at it though, it seems that 'updated' is not very helpful... it seems to always reflect the current time. I think the more interesting field is max(timeAccessed) because it appears to reflect actual last usage.

I also have another search I have been using with some success:

index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | search action="search" OR action="rtsearch" | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user

Re: Users who are logged in right now

drapkin11 — Tue, 06 Aug 2013 23:36:37 GMT

@wrangler2x: I think adding savedsearch_name="" to the query above would address your valid concerns about saved searches that automatically run for certain user accounts. That particular field should be non-empty if it is really a saved search.

Re: Users who are logged in right now

neltonk — Tue, 29 Sep 2020 21:36:30 GMT

index=_audit NOT user="n/a" NOT user="splunk-system-user" NOT "schedulernobody_search" | stats max(timestamp) by user

Re: Users who are logged in right now

tecooper — Tue, 23 Oct 2018 22:01:23 GMT

Thanks wrangler2x, this is exactly what I needed!

Re: Users who are logged in right now

jotne — Fri, 19 Mar 2021 09:56:33 GMT

I made a dashboard for this. Works fine even in a distributed setup with many search head.

<form theme="dark"> <label>Current online users</label>  <search id="base_search"> <query> index=_audit NOT user IN (n/a splunk-system-user) NOT "scheduler__nobody__search" host="$Server$" user="$User$" | fields timestamp host user </query> </search> <fieldset submitButton="false"> <input type="time"> <label></label> <default> <earliest>-60m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="Server"> <label>Server</label> <search base="base_search"> <query> | eval data=host | stats count by data | eval info=data." (".count.")" | sort -count </query> </search> <choice value="*">Any</choice> <fieldForLabel>info</fieldForLabel> <fieldForValue>data</fieldForValue> <default>*</default> </input> <input type="dropdown" token="User"> <label>User</label> <search base="base_search"> <query> | eval data=user | stats count by data | eval info=data." (".count.")" | sort -count </query> </search> <choice value="*">Any</choice> <fieldForLabel>info</fieldForLabel> <fieldForValue>data</fieldForValue> <default>*</default> </input> <input type="radio" token="sort"> <label>Sort by</label> <choice value="host">Server</choice> <choice value="user">User</choice> <initialValue>host</initialValue> </input> </fieldset> <row> <panel> <chart> <search base="base_search"> <query> | timechart count by $sort$ </query> </search> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.stackMode">stacked</option> <option name="height">300</option> </chart> </panel> </row> <row> <panel> <table> <search base="base_search"> <query> | stats latest(timestamp) as last_seen by user host | sort - last_seen</query> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="user"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> </table> </panel> </row> </form>

Re: Users who are logged in right now

Keith_wgtn — Mon, 05 Aug 2024 04:55:40 GMT

This one seems better as it exclude scheduled searches.