Is it possible to Monitor Spunk User activity of users using Splunk, based on Splunk internal Logs?
If so What would be the best place to start monitoring?, if there was an already built Splunk App for this that would be a great advantage 🙂
If the above isnt possible, what would be the best alternative?
The Splunk on Splunk app has some User Activity views.
Furthermore you can search the "_audit" index :
index=_audit | table _time user action info
The "_internal" index also has some sources on which to do username analytics ie:searches.log
Dashboard of user activity. Note: you can optionally add your own host filters for the host/search head drop-down.
<form>
<label>Activity Audit</label>
<fieldset submitButton="false">
<input type="time" token="time" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="host" searchWhenChanged="true">
<label>Host (search head)</label>
<choice value="*">All</choice>
<default>*</default>
</input>
<input type="dropdown" token="action" searchWhenChanged="true">
<label>Action</label>
<choice value="*">All</choice>
<fieldForLabel>action</fieldForLabel>
<fieldForValue>action</fieldForValue>
<search>
<query>index=_audit sourcetype=audittrail host=$host$ action=*
| fields action
| dedup action
| table action
| sort action</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<default>*</default>
</input>
<input type="text" token="action_pattern" searchWhenChanged="true">
<label>Action Pattern</label>
<default>*</default>
</input>
<input type="dropdown" token="info_message" searchWhenChanged="true">
<label>Info Message</label>
<choice value="*">All</choice>
<choice value="NULL">NULL</choice>
<default>*</default>
<fieldForLabel>info</fieldForLabel>
<fieldForValue>info</fieldForValue>
<search>
<query>index=_audit sourcetype=audittrail host=$host$ action=*
| fields info
| dedup info
| table info
| sort info
| search NOT info="app=*"</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
</input>
<input type="text" token="info_message_pattern" searchWhenChanged="true">
<label>Info Message Pattern</label>
<default>*</default>
</input>
<input type="dropdown" token="user" searchWhenChanged="true">
<label>User</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>user</fieldForLabel>
<fieldForValue>user</fieldForValue>
<search>
<query>index=_audit sourcetype=audittrail host=$host$ action=*
| fields user
| dedup user
| table user
| sort user</query>
</search>
</input>
<input type="text" token="user_pattern" searchWhenChanged="true">
<label>User Pattern</label>
<default>*</default>
</input>
<input type="text" token="user_list" searchWhenChanged="true">
<label>User List (comma seperated)</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<title>Current Time</title>
<table>
<search>
<query>| makeresults
| eval _time=now()
| table _time</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="user">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="action">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="host">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
</table>
</panel>
<panel>
<title>Active User Accounts</title>
<table>
<search>
<query>| rest /services/authentication/users splunk_server=local
| table defaultApp id realname email roles type splunk_server capabilities
| replace "*%40*" with "*@*" in id
| rex field=id "/users/(?<user>.+)$"
| table user realname email type roles splunk_server
| search user="$user$" user="*$user_pattern$*" user IN ($user_list$)</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="action">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="host">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="info">
<colorPalette type="map">{"succeeded":#79CA00,"failed":#D93F3C,"granted":#65A637,"completed":#A2CC3E,"canceled":#6DB7C6,"cancel":#6DB7C6,"denied":#D93F3C,"success":#B3E37D,"pause":#6DB7C6,"resume":#6DB7C6}</colorPalette>
</format>
<format type="color" field="type">
<colorPalette type="map">{"SAML":#A2CC3E,"Splunk":#F7BC38}</colorPalette>
</format>
<format type="color" field="roles">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="splunk_server">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="user">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
</table>
</panel>
</row>
<row>
<panel>
<title>Last Action</title>
<table>
<search>
<query>index=_audit sourcetype=audittrail host=$host$
| fields _time user action info
| fillnull value=NULL
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$)
| sort -_time
| dedup user
| table _time user action info
| sort user</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="user">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="action">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="host">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="info">
<colorPalette type="map">{"succeeded":#79CA00,"failed":#D93F3C,"granted":#65A637,"completed":#A2CC3E,"canceled":#6DB7C6,"cancel":#6DB7C6,"denied":#D93F3C,"success":#B3E37D,"pause":#6DB7C6,"resume":#6DB7C6,"NULL":#D1D1D1}</colorPalette>
</format>
</table>
</panel>
<panel>
<title>Last Login Attempt</title>
<table>
<search>
<query>index=_audit sourcetype=audittrail host=$host$ action="login attempt"
| fields _time user action info
| fillnull value=NULL
| search info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$)
| sort -_time
| dedup user
| table _time user action info
| sort user</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="user">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="action">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="host">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="info">
<colorPalette type="map">{"succeeded":#79CA00,"failed":#D93F3C,"granted":#65A637,"completed":#A2CC3E,"canceled":#6DB7C6,"cancel":#6DB7C6,"denied":#D93F3C,"success":#B3E37D,"pause":#6DB7C6,"resume":#6DB7C6}</colorPalette>
</format>
</table>
</panel>
</row>
<row>
<panel>
<title>Activity Timeline by Host</title>
<chart>
<search>
<query>index=_audit sourcetype=audittrail host=$host$
| fields _time user action info host
| fillnull value=NULL
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$)
| fields _time host
| timechart count by host</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">minmax</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">bottom</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>Activity Timeline by User</title>
<chart>
<search>
<query>index=_audit sourcetype=audittrail host=$host$
| fields _time user action info user
| fillnull value=NULL
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$)
| fields _time user
| timechart count by user</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">minmax</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">bottom</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>Activity Timeline by Action</title>
<chart>
<search>
<query>index=_audit sourcetype=audittrail host=$host$
| fields _time user action info
| fillnull value=NULL
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$)
| fields _time action
| timechart count by action</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">minmax</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">bottom</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Top Host</title>
<table>
<search>
<query>index=_audit sourcetype=audittrail host=$host$
| fields user action info host
| fillnull value=NULL
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$)
| fields host
| top host limit=1000</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="user">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="action">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="host">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
</table>
</panel>
<panel>
<title>Top Users</title>
<table>
<search>
<query>index=_audit sourcetype=audittrail host=$host$ a
| fields user action info
| fillnull value=NULL
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$)
| fields user
| top user limit=1000</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="user">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="action">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
</table>
</panel>
<panel>
<title>Top Actions</title>
<table>
<search>
<query>index=_audit sourcetype=audittrail host=$host$
| fields user action info
| fillnull value=NULL
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$)
| fields action
| top action limit=1000</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="user">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="action">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
</table>
</panel>
</row>
<row>
<panel>
<title>Top Actions by User and Host</title>
<table>
<search>
<query>index=_audit sourcetype=audittrail host=$host$ action=$action$ action="*$action_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$)
| eval user_activity=host+"-"+user+"-"+action
| top user_activity limit=1000</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="user">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="action">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="user_activity">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
</table>
</panel>
</row>
</form>
Hello,
I've used the upper example and it works just fine, but I have a small notice which I can't pass
So might not be related to this subject, but as long as it is in this page..
"This dashboard version is missing. Update the dashboard version in source."
So raised question: Where should I add/insert the dashboard tags as outside form tags is not accepted and inside form tags is not accepted too. (Edit Dashboard -> Source)
Thank you
Replace
<form>
with
<form version="1.1">
(optionally)
<form version="1.1" theme="dark">
Error parsing XML on line 417: Premature end of data in tag form line 1
Thanks @robertlynch2020 - I've corrected the paste typo.
I used this
index=_internal sourcetype=splunkd_ui_access | stats count by clientip , user , _time | lookup dnslookup clientip | timechart span=1d distinct_count(clienthost) by clienthost limit=100
However sometimes i get users that did not log in, saying they did log in.
I think it might be due to the DNS LP address changing..
Hello,
App S.O.S. (Splunk On Splunk) provides dashboards about that, furthermore, without any app, on right top menu, you have: Activity > System Activity > Search overview / details / user activity.
Regards,
The Splunk on Splunk app has some User Activity views.
Furthermore you can search the "_audit" index :
index=_audit | table _time user action info
The "_internal" index also has some sources on which to do username analytics ie:searches.log
Thanks, This is almost exactly what I needed.