Deployment Architecture
Highlighted

Username of person who restarted splunk

Explorer

Hi everyone,
I need to know the last activity of the command splunk restart. Is there a way I can find the username of the person correspondingly running the command?

0 Karma
Highlighted

Re: Username of person who restarted splunk

Legend

Hi @ayushmaan,
you can find the Splunk restart via GUI in _internal using a simple search like this:

index=_internal  restart

result will be something like this where admin is the user that launched the command:

127.0.0.1 - admin [23/Mar/2020:13:54:43.703 +0100] "GET /services/messages/restart_required HTTP/1.0" 404 159 - - - 1ms

For the restart via CLI, the only way is to read the history files on Linux and search for the command

./splunk restart

Ciao.
Giuseppe

0 Karma
Highlighted

Re: Username of person who restarted splunk

Explorer

Hey,
Thanks for the quick response but does this tell us the info of the user who used the command "./splunk restart"? That is the main ask.

0 Karma
Highlighted

Re: Username of person who restarted splunk

Legend

Hi @ayushmaan,
To have the user that used the CLI command, you have to take the Linux logs of history.
If you see in the SplunkTAnix App there's in input.conf the configuration to take these logs and to see the user that executed:

### bash history
[monitor:///root/.bash_history]
disabled = 0
sourcetype = bash_history
index = os

[monitor:///home/.../.bash_history]
disabled = 0
sourcetype = bash_history
index = os

The folder before .bash_history is the username of the user that launched the CLI command.

Ciao.
Giuseppe

0 Karma
Highlighted

Re: Username of person who restarted splunk

Motivator

if on linux - additionally you can try to correlate the output of the "last" command, which lists all linux users with corresponed login and logout times, with the time when the "./splunk restart" command was issues. That will not work if you have several simultaniously logged users. I think you need TA_nix Addon to get this info.

On Windows you need to check security log to get similar information (using Addon for Windows)

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.