Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Search Query for Logged-in Users on Linux Servers

umesh_phendarka
New Member
‎10-01-2019 01:50 AM

What is the splunk Search Query for Logged-in Users on Linux Servers
I want to have dashboard for currently logged in users in Linux Servers

Tags (2)
0 Karma
Reply

ivanreis
Builder
‎10-02-2019 10:48 PM

If you want to search for linux users current login, you should identify the linux log where this data is being send to and index this file into Splunk.
Possible steps to take:
create an input to read this log file, assign this data to an index and sourcetype
Sample:
[monitor:///var/log/.log]
disabled = false
sourcetype = secure_log
index=linux
Depends on how the user information is showing on the file, there is a potential regex usage to extract the user from the log, if splunk is not capable to extract this info.

Please see a sample of code from this link. In this sample, the index is not specified, thus I recommend to always specify an index to assigned your indexed data and to not relying on default configuration if you are running on large splunk environment to avoid performance issues
https://gosplunk.com/list-of-users-in-a-linux-environment/

Splunk potential search based on the link attached above

index=linux sourcetype=secure_log | rex "\suser^'" | stats count by User

0 Karma
Reply

broberg
Communicator
‎10-02-2019 05:06 AM

Do you have any app that keep tracks on this so you can search for it?
Or do you want to see usernames that are logged into a splunk instance running on a Linux server?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...