Deployed a clustered Splunk Enterprise environment and we would like to check successful logins attempts from operating and supporting teams at Splunk Web interface (front-end) to check front-end utilization. Current solution has 3 search heads and 3 indexers. Where and how should we retrieve such information from?
Thanks.
See if this gives you what you're looking for.
index=_audit login action=success NOT user="internal*" info=succeeded