REST call to show the number of logged-in users in...

sheltomt · ‎08-24-2017

I've got a cluster question regarding REST calls and translation into a clustered environment. I have multiple searches with problems, but I figure I can get pointed in the right direction and be good.

On my non-clustered search head, I have a call for displaying the number of logged-in users:

| rest /servicesNS/-/-/authentication/httpauth-tokens splunk_server=local |search NOT userName="splunk-system-user" searchId=""|stats dc(userName) AS count

I'm not sure how to translate this into our new clustered environment. I've seen via Google of

 index=_internal sourcetype=splunkd_ui_access

but this is more of a log, not a count of currently logged in

Anyone have insight?

xavierashe · ‎10-23-2017

Change the splunk_server to point toward your cluster master. Here's what I have on my dashboard:

| rest /servicesNS/-/-/authentication/httpauth-tokens splunk_server=mymaster.company.corp |search NOT userName="admin" searchId=""|stats dc(userName) AS count

REST call to show the number of logged-in users in a clustered environment?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

REST call to show the number of logged-in users in a clustered environment?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES