Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find Current logged in users in Splunk 6, query works for 5.x

somesoni2
Revered Legend
‎12-04-2013 06:37 AM

Hi All,

I have been using below query to get the list of users currently logged into my Splunk Instance.

| rest /services/authentication/httpauth-tokens | search (NOT userName="splunk-system-user") searchId="" | table userName splunk_server timeAccessed

When I tried the same thing in Splunk 6, I am getting 0 rows. It seems for all the logged in users, the userName field is "splunk-system-user", hence no rows.(I used this clause in Splunk 5.X to exclude schedule search/splunk system accounts.

Have anyone done similar query to get list of current users in Splunk 6.

Thanks in advanced.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-12-2013 12:09 PM

Not sure what was the issue. I just reinstalled Splunk and its working fine now.

View solution in original post

Reply
Solved! Jump to solution

mendesjo
Path Finder
‎08-24-2015 05:45 AM

First query doesn't work..

This query works.. but it's not live, had someone log off actualy log off and still showed up, so not real time.
| rest /services/authentication/httpauth-tokens splunk_server=local |table userName|stats dc(userName) by username

Anyone have a query that actually works in real time?

0 Karma
Reply
Solved! Jump to solution

sat94541
Communicator
‎03-04-2015 05:29 PM

To find the user logged into Splunk , here are you searches you can use

| rest /services/authentication/current-context splunk_server=local|table username

or
you could also check the auth tokens
| rest /services/authentication/httpauth-tokens splunk_server=local |table userName|stats dc(userName) by userName

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-12-2013 12:09 PM

Not sure what was the issue. I just reinstalled Splunk and its working fine now.

Reply
Solved! Jump to solution

rroberts
Splunk Employee
Splunk Employee
‎12-12-2013 10:02 AM

I ran this as well and it worked. I got userName->admin , splunk_server->192.168.2.11, timeAccessed-> yada yada.. Im on Splunk 6.0 Build 174933.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-04-2013 08:39 AM

What did it showed under uswrName field? Did it show all the users or just splunk-system-user? For me its showing all values as splunk-sys

0 Karma
Reply
Solved! Jump to solution

aelliott
Motivator
‎12-04-2013 07:27 AM

I ran this on my splunk 6.0 instance and it worked.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...