Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find Current logged in users in Splunk 6, query works for 5.x

somesoni2
Revered Legend
‎12-04-2013 06:37 AM

Hi All,

I have been using below query to get the list of users currently logged into my Splunk Instance.

| rest /services/authentication/httpauth-tokens | search (NOT userName="splunk-system-user") searchId="" | table userName splunk_server timeAccessed

When I tried the same thing in Splunk 6, I am getting 0 rows. It seems for all the logged in users, the userName field is "splunk-system-user", hence no rows.(I used this clause in Splunk 5.X to exclude schedule search/splunk system accounts.

Have anyone done similar query to get list of current users in Splunk 6.

Thanks in advanced.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-12-2013 12:09 PM

Not sure what was the issue. I just reinstalled Splunk and its working fine now.

View solution in original post

Reply
Solved! Jump to solution

mendesjo
Path Finder
‎08-24-2015 05:45 AM

First query doesn't work..

This query works.. but it's not live, had someone log off actualy log off and still showed up, so not real time.
| rest /services/authentication/httpauth-tokens splunk_server=local |table userName|stats dc(userName) by username

Anyone have a query that actually works in real time?

0 Karma
Reply
Solved! Jump to solution

sat94541
Communicator
‎03-04-2015 05:29 PM

To find the user logged into Splunk , here are you searches you can use

| rest /services/authentication/current-context splunk_server=local|table username

or
you could also check the auth tokens
| rest /services/authentication/httpauth-tokens splunk_server=local |table userName|stats dc(userName) by userName

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-12-2013 12:09 PM

Not sure what was the issue. I just reinstalled Splunk and its working fine now.

Reply
Solved! Jump to solution

rroberts
Splunk Employee
Splunk Employee
‎12-12-2013 10:02 AM

I ran this as well and it worked. I got userName->admin , splunk_server->192.168.2.11, timeAccessed-> yada yada.. Im on Splunk 6.0 Build 174933.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-04-2013 08:39 AM

What did it showed under uswrName field? Did it show all the users or just splunk-system-user? For me its showing all values as splunk-sys

0 Karma
Reply
Solved! Jump to solution

aelliott
Motivator
‎12-04-2013 07:27 AM

I ran this on my splunk 6.0 instance and it worked.

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...