Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find Current logged in users in Splunk 6, query works for 5.x

somesoni2
Revered Legend
‎12-04-2013 06:37 AM

Hi All,

I have been using below query to get the list of users currently logged into my Splunk Instance.

| rest /services/authentication/httpauth-tokens | search (NOT userName="splunk-system-user") searchId="" | table userName splunk_server timeAccessed

When I tried the same thing in Splunk 6, I am getting 0 rows. It seems for all the logged in users, the userName field is "splunk-system-user", hence no rows.(I used this clause in Splunk 5.X to exclude schedule search/splunk system accounts.

Have anyone done similar query to get list of current users in Splunk 6.

Thanks in advanced.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-12-2013 12:09 PM

Not sure what was the issue. I just reinstalled Splunk and its working fine now.

View solution in original post

Reply
Solved! Jump to solution

mendesjo
Path Finder
‎08-24-2015 05:45 AM

First query doesn't work..

This query works.. but it's not live, had someone log off actualy log off and still showed up, so not real time.
| rest /services/authentication/httpauth-tokens splunk_server=local |table userName|stats dc(userName) by username

Anyone have a query that actually works in real time?

0 Karma
Reply
Solved! Jump to solution

sat94541
Communicator
‎03-04-2015 05:29 PM

To find the user logged into Splunk , here are you searches you can use

| rest /services/authentication/current-context splunk_server=local|table username

or
you could also check the auth tokens
| rest /services/authentication/httpauth-tokens splunk_server=local |table userName|stats dc(userName) by userName

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-12-2013 12:09 PM

Not sure what was the issue. I just reinstalled Splunk and its working fine now.

Reply
Solved! Jump to solution

rroberts
Splunk Employee
Splunk Employee
‎12-12-2013 10:02 AM

I ran this as well and it worked. I got userName->admin , splunk_server->192.168.2.11, timeAccessed-> yada yada.. Im on Splunk 6.0 Build 174933.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-04-2013 08:39 AM

What did it showed under uswrName field? Did it show all the users or just splunk-system-user? For me its showing all values as splunk-sys

0 Karma
Reply
Solved! Jump to solution

aelliott
Motivator
‎12-04-2013 07:27 AM

I ran this on my splunk 6.0 instance and it worked.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...