Dashboards & Visualizations

How to generate a real-time dashboard that shows a list of currently logged in users on a server?

nickbijmoer
Path Finder

Hey guys,

I want a list of currently logged in users of a specific server.
And when that person loggs off, I want him to be removed off that list.
So basically a real time dashboard with logged in people on a server.
Is this possible?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Not knowing exact what your data looks like, I can only give a generic answer.

index=foo (event=LOGIN OR event=LOGOUT) server=bar earliest=-8h| dedup username| where event=LOGIN | rename _time as "Login time" | table username "Login time"

This collects all login and logout events for the last eight hours. The dedup command keeps only the most recent event for each user (either LOGIN or LOGOUT) and the where command throws away the LOGOUT events so all that's left is log in events. You'll need to set the field names and values to match your world, of course.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi nickbijmoer,
using Windows isn't so easy find the current logged in users (Linux is easier!)!
Every way I solved the problem with a little script running on the forwarders:

@echo off
REM --------------------------------------
REM Controllo delle sessioni utente attive
REM --------------------------------------

REM Get event date and time
set date_time=%date% %time%

REM Print the event date and time, this will be the event timestamp
echo Current time: %date_time%

REM print the current user session
query user

This script, is sited in the bin directory of a Technology Add-On distributed on all the Windows machines and sends to Splunk (via Forwarder) an event with timestamp and some information about the current logged users (username, sessionname, id, status, lastaccess).
I run this script every 5 minutes.
If you have old machines (like XP) this script doesn't run and you have to use a different command (qwinsta) in your script.

Bye.
Giuseppe

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Not knowing exact what your data looks like, I can only give a generic answer.

index=foo (event=LOGIN OR event=LOGOUT) server=bar earliest=-8h| dedup username| where event=LOGIN | rename _time as "Login time" | table username "Login time"

This collects all login and logout events for the last eight hours. The dedup command keeps only the most recent event for each user (either LOGIN or LOGOUT) and the where command throws away the LOGOUT events so all that's left is log in events. You'll need to set the field names and values to match your world, of course.

---
If this reply helps you, Karma would be appreciated.

nickbijmoer
Path Finder

Cool, thanks 🙂 How can I make this real-time?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You don't want to do that. Real-time searches waste resources. Scheduling the search to run every 5 minutes should be sufficient.

---
If this reply helps you, Karma would be appreciated.

nickbijmoer
Path Finder

Ahh yeah thats right! thanks for the tip! 🙂

0 Karma

treinke
Builder

You are going to be looking at multiple Windows events to handle this. There is also an issue in Windows that if someone disconnects and doesn't logout. Below is a great resource on the Window Events around login/logout.

https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/64

There are no answer without questions
0 Karma

treinke
Builder

Windows or Linux?

There are no answer without questions
0 Karma

nickbijmoer
Path Finder

windows server

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...