Successful login attempts at Splunk front-end (GUI)


Deployed a clustered Splunk Enterprise environment and we would like to check successful logins attempts from operating and supporting teams at Splunk Web interface (front-end) to check front-end utilization. Current solution has 3 search heads and 3 indexers. Where and how should we retrieve such information from?


Labels (1)
Tags (1)
0 Karma


See if this gives you what you're looking for.

index=_audit login action=success NOT user="internal*" info=succeeded
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...