Getting Data In

Is it possible to Monitor Splunk User activity?

Dark_Ichigo
Builder

Is it possible to Monitor Spunk User activity of users using Splunk, based on Splunk internal Logs?

If so What would be the best place to start monitoring?, if there was an already built Splunk App for this that would be a great advantage 🙂

If the above isnt possible, what would be the best alternative?

1 Solution

Damien_Dallimor
Ultra Champion

The Splunk on Splunk app has some User Activity views.

Furthermore you can search the "_audit" index :

index=_audit | table _time user action info

The "_internal" index also has some sources on which to do username analytics ie:searches.log

View solution in original post

bandit
Motivator

Dashboard of user activity. Note: you can optionally add your own host filters for the host/search head drop-down.

 <form>
  <label>Activity Audit</label>
  <fieldset submitButton="false">
    <input type="time" token="time" searchWhenChanged="true">
      <label>Time Range</label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="host" searchWhenChanged="true">
      <label>Host (search head)</label>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="dropdown" token="action" searchWhenChanged="true">
      <label>Action</label>
      <choice value="*">All</choice>
      <fieldForLabel>action</fieldForLabel>
      <fieldForValue>action</fieldForValue>
      <search>
        <query>index=_audit sourcetype=audittrail host=$host$ action=* 
| fields action 
| dedup action 
| table action 
| sort action</query>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
    </input>
    <input type="text" token="action_pattern" searchWhenChanged="true">
      <label>Action Pattern</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="info_message" searchWhenChanged="true">
      <label>Info Message</label>
      <choice value="*">All</choice>
      <choice value="NULL">NULL</choice>
      <default>*</default>
      <fieldForLabel>info</fieldForLabel>
      <fieldForValue>info</fieldForValue>
      <search>
        <query>index=_audit sourcetype=audittrail host=$host$ action=* 
| fields info 
| dedup info 
| table info 
| sort info
| search NOT info="app=*"</query>
        <earliest>-30d@d</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="text" token="info_message_pattern" searchWhenChanged="true">
      <label>Info Message Pattern</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="user" searchWhenChanged="true">
      <label>User</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>user</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <search>
        <query>index=_audit sourcetype=audittrail host=$host$ action=* 
| fields user 
| dedup user 
| table user 
| sort user</query>
      </search>
    </input>
    <input type="text" token="user_pattern" searchWhenChanged="true">
      <label>User Pattern</label>
      <default>*</default>
    </input>
    <input type="text" token="user_list" searchWhenChanged="true">
      <label>User List (comma seperated)</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Current Time</title>
      <table>
        <search>
          <query>| makeresults 
| eval _time=now()
| table _time</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
    <panel>
      <title>Active User Accounts</title>
      <table>
        <search>
          <query>| rest /services/authentication/users splunk_server=local
| table defaultApp id realname email roles type splunk_server capabilities 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?&lt;user&gt;.+)$" 
| table user realname email type roles splunk_server 
| search user="$user$" user="*$user_pattern$*" user IN ($user_list$)</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="info">
          <colorPalette type="map">{"succeeded":#79CA00,"failed":#D93F3C,"granted":#65A637,"completed":#A2CC3E,"canceled":#6DB7C6,"cancel":#6DB7C6,"denied":#D93F3C,"success":#B3E37D,"pause":#6DB7C6,"resume":#6DB7C6}</colorPalette>
        </format>
        <format type="color" field="type">
          <colorPalette type="map">{"SAML":#A2CC3E,"Splunk":#F7BC38}</colorPalette>
        </format>
        <format type="color" field="roles">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Last Action</title>
      <table>
        <search>
          <query>index=_audit sourcetype=audittrail host=$host$ 
| fields _time user action info
| fillnull value=NULL
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) 
| sort -_time 
| dedup user 
| table _time user action info 
| sort user</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="info">
          <colorPalette type="map">{"succeeded":#79CA00,"failed":#D93F3C,"granted":#65A637,"completed":#A2CC3E,"canceled":#6DB7C6,"cancel":#6DB7C6,"denied":#D93F3C,"success":#B3E37D,"pause":#6DB7C6,"resume":#6DB7C6,"NULL":#D1D1D1}</colorPalette>
        </format>
      </table>
    </panel>
    <panel>
      <title>Last Login Attempt</title>
      <table>
        <search>
          <query>index=_audit sourcetype=audittrail host=$host$ action="login attempt"
| fields _time user action info
| fillnull value=NULL
| search info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) 
| sort -_time 
| dedup user 
| table _time user action info 
| sort user</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="info">
          <colorPalette type="map">{"succeeded":#79CA00,"failed":#D93F3C,"granted":#65A637,"completed":#A2CC3E,"canceled":#6DB7C6,"cancel":#6DB7C6,"denied":#D93F3C,"success":#B3E37D,"pause":#6DB7C6,"resume":#6DB7C6}</colorPalette>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Activity Timeline by Host</title>
      <chart>
        <search>
          <query>index=_audit sourcetype=audittrail host=$host$ 
| fields _time user action info host
| fillnull value=NULL 
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) 
| fields _time host
| timechart count by host</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Activity Timeline by User</title>
      <chart>
        <search>
          <query>index=_audit sourcetype=audittrail host=$host$ 
| fields _time user action info user
| fillnull value=NULL 
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) 
| fields _time user
| timechart count by user</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Activity Timeline by Action</title>
      <chart>
        <search>
          <query>index=_audit sourcetype=audittrail host=$host$ 
| fields _time user action info
| fillnull value=NULL 
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) 
| fields _time action
| timechart count by action</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Top Host</title>
      <table>
        <search>
          <query>index=_audit sourcetype=audittrail host=$host$ 
| fields user action info host 
| fillnull value=NULL 
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) 
| fields host
| top host limit=1000</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
    <panel>
      <title>Top Users</title>
      <table>
        <search>
          <query>index=_audit sourcetype=audittrail host=$host$ a 
| fields user action info 
| fillnull value=NULL 
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) 
| fields user
| top user limit=1000</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
    <panel>
      <title>Top Actions</title>
      <table>
        <search>
          <query>index=_audit sourcetype=audittrail host=$host$ 
| fields user action info 
| fillnull value=NULL 
| search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) 
| fields action 
| top action limit=1000</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Top Actions by User and Host</title>
      <table>
        <search>
          <query>index=_audit sourcetype=audittrail host=$host$ action=$action$ action="*$action_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) 
| eval user_activity=host+"-"+user+"-"+action 
| top user_activity limit=1000</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="user_activity">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
</form>

afk
Observer

Hello,

I've used the upper example and it works just fine, but I have a small notice which I can't pass
So might not be related to this subject, but as long as it is in this page.. 
"This dashboard version is missing. Update the dashboard version in source."

So raised question: Where should I add/insert the dashboard tags as outside form tags is not accepted and inside form tags is not accepted too. (Edit Dashboard -> Source)
Thank you  

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Replace

<form>

with

<form version="1.1">

(optionally)

<form version="1.1" theme="dark">
0 Karma

robertlynch2020
Motivator

Error parsing XML on line 417: Premature end of data in tag form line 1

bandit
Motivator

Thanks @robertlynch2020 - I've corrected the paste typo.

0 Karma

robertlynch2020
Motivator

I used this
index=_internal sourcetype=splunkd_ui_access | stats count by clientip , user , _time | lookup dnslookup clientip | timechart span=1d distinct_count(clienthost) by clienthost limit=100

However sometimes i get users that did not log in, saying they did log in.

I think it might be due to the DNS LP address changing..

vince2010091
Path Finder

Hello,

App S.O.S. (Splunk On Splunk) provides dashboards about that, furthermore, without any app, on right top menu, you have: Activity > System Activity > Search overview / details / user activity.

Regards,

Damien_Dallimor
Ultra Champion

The Splunk on Splunk app has some User Activity views.

Furthermore you can search the "_audit" index :

index=_audit | table _time user action info

The "_internal" index also has some sources on which to do username analytics ie:searches.log

Dark_Ichigo
Builder

Thanks, This is almost exactly what I needed.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...