Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Username of person who restarted splunk

ayushmaan
Explorer
‎03-23-2020 02:38 AM

Hi everyone,
I need to know the last activity of the command splunk restart. Is there a way I can find the username of the person correspondingly running the command?

0 Karma
Reply

PavelP
Motivator
‎03-23-2020 06:54 AM

if on linux - additionally you can try to correlate the output of the "last" command, which lists all linux users with corresponed login and logout times, with the time when the "./splunk restart" command was issues. That will not work if you have several simultaniously logged users. I think you need TA_nix Addon to get this info.

On Windows you need to check security log to get similar information (using Addon for Windows)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-23-2020 05:58 AM

Hi @ayushmaan,
you can find the Splunk restart via GUI in _internal using a simple search like this:

index=_internal  restart

result will be something like this where admin is the user that launched the command:

127.0.0.1 - admin [23/Mar/2020:13:54:43.703 +0100] "GET /services/messages/restart_required HTTP/1.0" 404 159 - - - 1ms

For the restart via CLI, the only way is to read the history files on Linux and search for the command 

./splunk restart

Ciao.
Giuseppe

Reply

ayushmaan
Explorer
‎03-23-2020 07:58 AM

Hey,
Thanks for the quick response but does this tell us the info of the user who used the command "./splunk restart"? That is the main ask.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-23-2020 08:06 AM

Hi @ayushmaan,
To have the user that used the CLI command, you have to take the Linux logs of history.
If you see in the Splunk_TA_nix App there's in input.conf the configuration to take these logs and to see the user that executed:

### bash history
[monitor:///root/.bash_history]
disabled = 0
sourcetype = bash_history
index = os

[monitor:///home/.../.bash_history]
disabled = 0
sourcetype = bash_history
index = os

The folder before .bash_history is the username of the user that launched the CLI command.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...