Reporting

Successful login attempts at Splunk front-end (GUI)

rdaniel
Loves-to-Learn

Deployed a clustered Splunk Enterprise environment and we would like to check successful logins attempts from operating and supporting teams at Splunk Web interface (front-end) to check front-end utilization. Current solution has 3 search heads and 3 indexers. Where and how should we retrieve such information from?

Thanks.

Labels (1)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

See if this gives you what you're looking for.

index=_audit login action=success NOT user="internal*" info=succeeded
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!