Deployment Architecture

Splunk Search Query for Logged-in Users on Linux Servers

New Member

What is the splunk Search Query for Logged-in Users on Linux Servers
I want to have dashboard for currently logged in users in Linux Servers

Tags (2)
0 Karma


If you want to search for linux users current login, you should identify the linux log where this data is being send to and index this file into Splunk.
Possible steps to take:
create an input to read this log file, assign this data to an index and sourcetype
disabled = false
sourcetype = secure_log
Depends on how the user information is showing on the file, there is a potential regex usage to extract the user from the log, if splunk is not capable to extract this info.

Please see a sample of code from this link. In this sample, the index is not specified, thus I recommend to always specify an index to assigned your indexed data and to not relying on default configuration if you are running on large splunk environment to avoid performance issues

Splunk potential search based on the link attached above

index=linux sourcetype=secure_log | rex "\suser^'" | stats count by User

0 Karma


Do you have any app that keep tracks on this so you can search for it?
Or do you want to see usernames that are logged into a splunk instance running on a Linux server?

0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...