Is there a way to identify which search head a user logs into in a search cluster?
There are times when there are issues, and I need for the user to tell me which search head they are on, and there is no easy way to determine that.
From one of our audit dashboards:
This can be run and deployed from any searchhead. It will also pick up anyone logged into the CM, Deployer, LM, etc.
index=_audit NOT user="n/a" NOT user="splunk-system-user" NOT "scheduler__nobody__search" "info=succeeded"
| bucket _time span=1mon
| stats values(user) as Users, first(action) as currentstate by _time, host
| where currentstate="login attempt" | xyseries _time, host, Users | fields - currentstate, _time
Note: Works as of 6.6.3
From one of our audit dashboards:
This can be run and deployed from any searchhead. It will also pick up anyone logged into the CM, Deployer, LM, etc.
index=_audit NOT user="n/a" NOT user="splunk-system-user" NOT "scheduler__nobody__search" "info=succeeded"
| bucket _time span=1mon
| stats values(user) as Users, first(action) as currentstate by _time, host
| where currentstate="login attempt" | xyseries _time, host, Users | fields - currentstate, _time
Note: Works as of 6.6.3
I would fiddle around with the
bucket _time span=1mon
As right now it is set for 1 month. Don't set it for too low though, otherwise the users column will fill up with duplicates.
i have, and built a dashboard so anyone can use it. Very useful.
wicked!
thanks much!