Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Username of person who restarted splunk

ayushmaan
Explorer
‎03-23-2020 02:38 AM

Hi everyone,
I need to know the last activity of the command splunk restart. Is there a way I can find the username of the person correspondingly running the command?

0 Karma
Reply

PavelP
Motivator
‎03-23-2020 06:54 AM

if on linux - additionally you can try to correlate the output of the "last" command, which lists all linux users with corresponed login and logout times, with the time when the "./splunk restart" command was issues. That will not work if you have several simultaniously logged users. I think you need TA_nix Addon to get this info.

On Windows you need to check security log to get similar information (using Addon for Windows)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-23-2020 05:58 AM

Hi @ayushmaan,
you can find the Splunk restart via GUI in _internal using a simple search like this:

index=_internal  restart

result will be something like this where admin is the user that launched the command:

127.0.0.1 - admin [23/Mar/2020:13:54:43.703 +0100] "GET /services/messages/restart_required HTTP/1.0" 404 159 - - - 1ms

For the restart via CLI, the only way is to read the history files on Linux and search for the command 

./splunk restart

Ciao.
Giuseppe

Reply

ayushmaan
Explorer
‎03-23-2020 07:58 AM

Hey,
Thanks for the quick response but does this tell us the info of the user who used the command "./splunk restart"? That is the main ask.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-23-2020 08:06 AM

Hi @ayushmaan,
To have the user that used the CLI command, you have to take the Linux logs of history.
If you see in the Splunk_TA_nix App there's in input.conf the configuration to take these logs and to see the user that executed:

### bash history
[monitor:///root/.bash_history]
disabled = 0
sourcetype = bash_history
index = os

[monitor:///home/.../.bash_history]
disabled = 0
sourcetype = bash_history
index = os

The folder before .bash_history is the username of the user that launched the CLI command.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...