Solved: How to generate a real-time dashboard that shows a...

nickbijmoer · ‎11-04-2016

Hey guys,

I want a list of currently logged in users of a specific server.
And when that person loggs off, I want him to be removed off that list.
So basically a real time dashboard with logged in people on a server.
Is this possible?

richgalloway · ‎11-04-2016

Not knowing exact what your data looks like, I can only give a generic answer.

index=foo (event=LOGIN OR event=LOGOUT) server=bar earliest=-8h| dedup username| where event=LOGIN | rename _time as "Login time" | table username "Login time"

This collects all login and logout events for the last eight hours. The dedup command keeps only the most recent event for each user (either LOGIN or LOGOUT) and the where command throws away the LOGOUT events so all that's left is log in events. You'll need to set the field names and values to match your world, of course.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

gcusello · ‎11-05-2016

Hi nickbijmoer,
using Windows isn't so easy find the current logged in users (Linux is easier!)!
Every way I solved the problem with a little script running on the forwarders:

@echo off
REM --------------------------------------
REM Controllo delle sessioni utente attive
REM --------------------------------------

REM Get event date and time
set date_time=%date% %time%

REM Print the event date and time, this will be the event timestamp
echo Current time: %date_time%

REM print the current user session
query user

This script, is sited in the bin directory of a Technology Add-On distributed on all the Windows machines and sends to Splunk (via Forwarder) an event with timestamp and some information about the current logged users (username, sessionname, id, status, lastaccess).
I run this script every 5 minutes.
If you have old machines (like XP) this script doesn't run and you have to use a different command (qwinsta) in your script.

Bye.
Giuseppe

richgalloway · ‎11-04-2016

Not knowing exact what your data looks like, I can only give a generic answer.

index=foo (event=LOGIN OR event=LOGOUT) server=bar earliest=-8h| dedup username| where event=LOGIN | rename _time as "Login time" | table username "Login time"

This collects all login and logout events for the last eight hours. The dedup command keeps only the most recent event for each user (either LOGIN or LOGOUT) and the where command throws away the LOGOUT events so all that's left is log in events. You'll need to set the field names and values to match your world, of course.

---
If this reply helps you, Karma would be appreciated.

nickbijmoer · ‎11-07-2016

Cool, thanks 🙂 How can I make this real-time?

richgalloway · ‎11-07-2016

You don't want to do that. Real-time searches waste resources. Scheduling the search to run every 5 minutes should be sufficient.

---
If this reply helps you, Karma would be appreciated.

nickbijmoer · ‎11-07-2016

Ahh yeah thats right! thanks for the tip! 🙂

treinke · ‎11-04-2016

You are going to be looking at multiple Windows events to handle this. There is also an issue in Windows that if someone disconnects and doesn't logout. Below is a great resource on the Window Events around login/logout.

https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/64

There are no answer without questions

treinke · ‎11-04-2016

Windows or Linux?

There are no answer without questions

nickbijmoer · ‎11-04-2016

windows server

How to generate a real-time dashboard that shows a list of currently logged in users on a server?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life