REST call to show the number of logged-in users in...

sheltomt · ‎08-24-2017

I've got a cluster question regarding REST calls and translation into a clustered environment. I have multiple searches with problems, but I figure I can get pointed in the right direction and be good.

On my non-clustered search head, I have a call for displaying the number of logged-in users:

| rest /servicesNS/-/-/authentication/httpauth-tokens splunk_server=local |search NOT userName="splunk-system-user" searchId=""|stats dc(userName) AS count

I'm not sure how to translate this into our new clustered environment. I've seen via Google of

 index=_internal sourcetype=splunkd_ui_access

but this is more of a log, not a count of currently logged in

Anyone have insight?

xavierashe · ‎10-23-2017

Change the splunk_server to point toward your cluster master. Here's what I have on my dashboard:

| rest /servicesNS/-/-/authentication/httpauth-tokens splunk_server=mymaster.company.corp |search NOT userName="admin" searchId=""|stats dc(userName) AS count

REST call to show the number of logged-in users in a clustered environment?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

REST call to show the number of logged-in users in a clustered environment?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...