I need a search that can show me who is logging into our splunk instance itself. Not monitor logins to systems that are logging to splunk but monitor who is using splunk itself...
I am tinkering with something like "index=_internal sourcetype=access_combined" but can't find the actual "login" event.
OK, being kindof stupid, the Search Status dashboard has something like what I am looking for that I can use. One of the panels has "UI activity by user" that can be run separately. Namely:
"index="internal" source="/splunkd_access.log" "/services/search/jobs" | kv access-extractions | search uri=/services/search/jobs/* user!="-"| rex (?\d+)ms$ | timechart eval(sum(run_time)/1000) by user"
This works for my purposes.
