Getting Data In

Is it possible to Monitor Splunk User activity?

Dark_Ichigo
Builder

Is it possible to Monitor Spunk User activity of users using Splunk, based on Splunk internal Logs?

If so What would be the best place to start monitoring?, if there was an already built Splunk App for this that would be a great advantage 🙂

If the above isnt possible, what would be the best alternative?

1 Solution

Damien_Dallimor
Ultra Champion

The Splunk on Splunk app has some User Activity views.

Furthermore you can search the "_audit" index :

index=_audit | table _time user action info

The "_internal" index also has some sources on which to do username analytics ie:searches.log

View solution in original post

bandit
Motivator

Dashboard of user activity. Note: you can optionally add your own host filters for the host/search head drop-down.

 <form>
  <label>Activity Audit</label>
  <fieldset submitButton="false">
    <input type="time" token="time" searchWhenChanged="true">
      <label>Time Range</label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="host" searchWhenChanged="true">
      <label>Host (search head)</label>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="dropdown" token="action" searchWhenChanged="true">
      <label>Action</label>
      <choice value="*">All</choice>
      <fieldForLabel>action</fieldForLabel>
      <fieldForValue>action</fieldForValue>
      <search>
        <query>index=_audit sourcetype=audittrail host=$host$ action=* 
| fields action 
| dedup action 
| table action 
| sort action</query>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
    </input>
    <input type="text" token="action_pattern" searchWhenChanged="true">
      <label>Action Pattern</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="info_message" searchWhenChanged="true">
      <label>Info Message</label>
      <choice value="*">All</choice>
      <choice value="NULL">NULL</choice>
      <default>*</default>
      <fieldForLabel>info</fieldForLabel>
      <fieldForValue>info</fieldForValue>
      <search>
        <query>index=_audit sourcetype=audittrail host=$host$ action=* 
| fields info 
| dedup info 
| table info 
| sort info
| search NOT info="app=*"</query>
        <earliest>-30d@d</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="text" token="info_message_pattern" searchWhenChanged="true">
      <label>Info Message Pattern</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="user" searchWhenChanged="true">
      <label>User</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>user</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <search>
        <query>index=_audit sourcetype=audittrail host=$host$ action=* 
| fields user 
| dedup user 
| table user 
| sort user</query>
      </search>
    </input>
    <input type="text" token="user_pattern" searchWhenChanged="true">
      <label>User Pattern</label>
      <default>*</default>
    </input>
    <input type="text" token="user_list" searchWhenChanged="true">
      <label>User List (comma seperated)</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Current Time</title>
      <table>
        <search>
          <query>| makeresults 
| eval _time=now()
| table _time</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
    <panel>
      <title>Active User Accounts</title>
      <table>
        <search>
          <query>| rest /services/authentication/users splunk_server=local
| table defaultApp id realname email roles type splunk_server capabilities 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?&lt;user&gt;.+)$" 
| table user realname email type roles splunk_server 
| search user="$user$" user="*$user_pattern$*" user IN ($user_list$)</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="info">
          <colorPalette type="map">{"succeeded":#79CA00,"failed":#D93F3C,"granted":#65A637,"completed":#A2CC3E,"canceled":#6DB7C6,"cancel":#6DB7C6,"denied":#D93F3C,"success":#B3E37D,"pause":#6DB7C6,"resume":#6DB7C6}</colorPalette>
        </format>
        <format type="color" field="type">
          <colorPalette type="map">{"SAML":#A2CC3E,"Splunk":#F7BC38}</colorPalette>
        </format>
        <format type="color" field="roles">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Last Action</title>
      <table>
        <search>
          <query>index=_audit sourcetype=audittrail host=$host$ 
| fields _time user action info
| fillnull value=NULL
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) 
| sort -_time 
| dedup user 
| table _time user action info 
| sort user</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="info">
          <colorPalette type="map">{"succeeded":#79CA00,"failed":#D93F3C,"granted":#65A637,"completed":#A2CC3E,"canceled":#6DB7C6,"cancel":#6DB7C6,"denied":#D93F3C,"success":#B3E37D,"pause":#6DB7C6,"resume":#6DB7C6,"NULL":#D1D1D1}</colorPalette>
        </format>
      </table>
    </panel>
    <panel>
      <title>Last Login Attempt</title>
      <table>
        <search>
          <query>index=_audit sourcetype=audittrail host=$host$ action="login attempt"
| fields _time user action info
| fillnull value=NULL
| search info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) 
| sort -_time 
| dedup user 
| table _time user action info 
| sort user</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="info">
          <colorPalette type="map">{"succeeded":#79CA00,"failed":#D93F3C,"granted":#65A637,"completed":#A2CC3E,"canceled":#6DB7C6,"cancel":#6DB7C6,"denied":#D93F3C,"success":#B3E37D,"pause":#6DB7C6,"resume":#6DB7C6}</colorPalette>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Activity Timeline by Host</title>
      <chart>
        <search>
          <query>index=_audit sourcetype=audittrail host=$host$ 
| fields _time user action info host
| fillnull value=NULL 
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) 
| fields _time host
| timechart count by host</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Activity Timeline by User</title>
      <chart>
        <search>
          <query>index=_audit sourcetype=audittrail host=$host$ 
| fields _time user action info user
| fillnull value=NULL 
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) 
| fields _time user
| timechart count by user</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Activity Timeline by Action</title>
      <chart>
        <search>
          <query>index=_audit sourcetype=audittrail host=$host$ 
| fields _time user action info
| fillnull value=NULL 
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) 
| fields _time action
| timechart count by action</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Top Host</title>
      <table>
        <search>
          <query>index=_audit sourcetype=audittrail host=$host$ 
| fields user action info host 
| fillnull value=NULL 
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) 
| fields host
| top host limit=1000</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
    <panel>
      <title>Top Users</title>
      <table>
        <search>
          <query>index=_audit sourcetype=audittrail host=$host$ a 
| fields user action info 
| fillnull value=NULL 
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) 
| fields user
| top user limit=1000</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
    <panel>
      <title>Top Actions</title>
      <table>
        <search>
          <query>index=_audit sourcetype=audittrail host=$host$ 
| fields user action info 
| fillnull value=NULL 
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) 
| fields action 
| top action limit=1000</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Top Actions by User and Host</title>
      <table>
        <search>
          <query>index=_audit sourcetype=audittrail host=$host$ action=$action$ action="*$action_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) 
| eval user_activity=host+"-"+user+"-"+action 
| top user_activity limit=1000</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="user_activity">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
</form>

afk
Observer

Hello,

I've used the upper example and it works just fine, but I have a small notice which I can't pass
So might not be related to this subject, but as long as it is in this page.. 
"This dashboard version is missing. Update the dashboard version in source."

So raised question: Where should I add/insert the dashboard tags as outside form tags is not accepted and inside form tags is not accepted too. (Edit Dashboard -> Source)
Thank you  

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Replace

<form>

with

<form version="1.1">

(optionally)

<form version="1.1" theme="dark">
0 Karma

robertlynch2020
Influencer

Error parsing XML on line 417: Premature end of data in tag form line 1

bandit
Motivator

Thanks @robertlynch2020 - I've corrected the paste typo.

0 Karma

robertlynch2020
Influencer

I used this
index=_internal sourcetype=splunkd_ui_access | stats count by clientip , user , _time | lookup dnslookup clientip | timechart span=1d distinct_count(clienthost) by clienthost limit=100

However sometimes i get users that did not log in, saying they did log in.

I think it might be due to the DNS LP address changing..

vince2010091
Path Finder

Hello,

App S.O.S. (Splunk On Splunk) provides dashboards about that, furthermore, without any app, on right top menu, you have: Activity > System Activity > Search overview / details / user activity.

Regards,

Damien_Dallimor
Ultra Champion

The Splunk on Splunk app has some User Activity views.

Furthermore you can search the "_audit" index :

index=_audit | table _time user action info

The "_internal" index also has some sources on which to do username analytics ie:searches.log

Dark_Ichigo
Builder

Thanks, This is almost exactly what I needed.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...