I am pulling logs from the devices in my network and I would like to know if it is possible for Splunk to show on a dashboard, whether or not a user is logged into it. Perhaps this can be displayed in the form of a table. For example it could list the name of every device and in another column show if/which user is currently logged in.
Any help would be massively appreciated.
Try this
Suppose this is your data
Dec 1 12:40:07 OIEXTFW01 Dec 1 12:38:12 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:12) sessiond[1650]: msg_id="3E00-0002" Management user lheath@Firebox-DB from 10.19.84.100 logged in.
Dec 1 12:40:27 OIEXTFW01 Dec 1 12:38:31 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:31) sessiond[1650]: msg_id="3E00-0004" Management user lheath@Firebox-DB from 10.19.84.100 logged out.
Dec 1 12:42:07 OIEXTFW02 Dec 1 12:38:12 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:12) sessiond[2650]: msg_id="3E00-0002" Management user lheath1@Firebox-DB from 10.19.84.100 logged in.
Dec 1 12:44:27 OIEXTFW02 Dec 1 12:38:31 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:31) sessiond[2650]: msg_id="3E00-0004" Management user lheath1@Firebox-DB from 10.19.84.100 logged out.
Dec 1 12:43:07 OIEXTFW01 Dec 1 12:38:12 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:12) sessiond[3650]: msg_id="3E00-0002" Management user lheath2@Firebox-DB from 10.19.84.100 logged in.
Dec 1 12:46:27 OIEXTFW01 Dec 1 12:38:31 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:31) sessiond[4650]: msg_id="3E00-0004" Management user lheath3@Firebox-DB from 10.19.84.100 logged in.
Dec 1 12:48:07 OIEXTFW01 Dec 1 12:38:12 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:12) sessiond[5650]: msg_id="3E00-0002" Management user lheath@Firebox-DB from 10.19.84.100 logged in.
This is the regex
to extract fields
\d{2}\s(?<device>[^\s]{9})\s.*\[(?<sid>[^\]]+).*user\s(?<user>[^\s]+).*logged\s(?<lstate>\w+)
Here's the SPL to display who's logged in where at this point in time.
... | sort user _time | chart latest(lstate) over user by device
Try this
Suppose this is your data
Dec 1 12:40:07 OIEXTFW01 Dec 1 12:38:12 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:12) sessiond[1650]: msg_id="3E00-0002" Management user lheath@Firebox-DB from 10.19.84.100 logged in.
Dec 1 12:40:27 OIEXTFW01 Dec 1 12:38:31 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:31) sessiond[1650]: msg_id="3E00-0004" Management user lheath@Firebox-DB from 10.19.84.100 logged out.
Dec 1 12:42:07 OIEXTFW02 Dec 1 12:38:12 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:12) sessiond[2650]: msg_id="3E00-0002" Management user lheath1@Firebox-DB from 10.19.84.100 logged in.
Dec 1 12:44:27 OIEXTFW02 Dec 1 12:38:31 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:31) sessiond[2650]: msg_id="3E00-0004" Management user lheath1@Firebox-DB from 10.19.84.100 logged out.
Dec 1 12:43:07 OIEXTFW01 Dec 1 12:38:12 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:12) sessiond[3650]: msg_id="3E00-0002" Management user lheath2@Firebox-DB from 10.19.84.100 logged in.
Dec 1 12:46:27 OIEXTFW01 Dec 1 12:38:31 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:31) sessiond[4650]: msg_id="3E00-0004" Management user lheath3@Firebox-DB from 10.19.84.100 logged in.
Dec 1 12:48:07 OIEXTFW01 Dec 1 12:38:12 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:12) sessiond[5650]: msg_id="3E00-0002" Management user lheath@Firebox-DB from 10.19.84.100 logged in.
This is the regex
to extract fields
\d{2}\s(?<device>[^\s]{9})\s.*\[(?<sid>[^\]]+).*user\s(?<user>[^\s]+).*logged\s(?<lstate>\w+)
Here's the SPL to display who's logged in where at this point in time.
... | sort user _time | chart latest(lstate) over user by device
Thank you for your reply sundareshr.
My apologies, but how would I use these two commands together? Where would I put the regex? I haven't been using Splunk for long. My problem is that some of the other devices do not display login or authentication details in the same way.
With a bit more understanding, I achieved this Sir. Thank you so much!!!
Please share sample data from all relevant logs.
I have data that informs when a user has logged into a system and when they log out. I'll provide an example below:-
Dec 1 12:40:07 OIEXTFW01 Dec 1 12:38:12 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:12) sessiond[1650]: msg_id="3E00-0002" Management user lheath@Firebox-DB from 10.19.84.100 logged in.
Once this event occurs, I would love the table to say: OXIEXTFW01 - (user)
Until this kind of message occurs:-
Dec 1 12:40:27 OIEXTFW01 Dec 1 12:38:31 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:31) sessiond[1650]: msg_id="3E00-0004" Management user lheath@Firebox-DB from 10.19.84.100 logged out.