Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can a Splunk admin terminate a user session?

ogdin
Splunk Employee
Splunk Employee
‎09-16-2010 01:53 PM

Can a Splunk admin terminate a user session?

Labels (1)
Labels
Tags (1)
Reply

vin02ptl
Explorer
‎07-08-2020 07:12 AM

run splunk logout ,it will terminate the current session

0 Karma
Reply

phoenixdigital
Builder
‎01-06-2014 05:44 PM

Is there a better way to do this yet via the web console?

We had an issue where someone was on leave and had a Splunk session open which they had configured to refresh every 5 seconds. They have been told not to do this anymore.

There was noone on staff over Christmas/New Year who could have performed this ssh command.

I would have hoped there should be an easier way?

Apart from restarting Splunk that is.

Reply

ziegfried
Influencer
‎09-16-2010 02:02 PM

It's not possible via the UI, but it can be done. It's a little tricky though:

Find the user's session via a REST endpoint of splunkd:

https://localhost:8089/services/authentication/httpauth-tokens

You can see the current session tokens. Find the one of the user you want to kick out and copy the link address of the token. Something like

https://localhost:8089/services/authentication/httpauth-tokens/4b298e3f7c3aa937f114f3657dbd5314

And then kill the session by executing the following command on the splunk server:

splunk _internal call "https://localhost:8089/services/authentication/httpauth-tokens/4b298e3f7c3aa937f114f3657dbd5314" -method DELETE
Reply

splunkreal
Motivator
‎08-04-2022 08:54 AM

Hello,

this is not accurate, can't find http tokens but user still doing searches.

Thanks.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

dural_yyz
Motivator
‎08-04-2022 12:13 PM

Please differentiate between a user doing "ad hoc" searches via the Web GUI and "saved searches" which will run on a time pattern(CRON) regardless of users current GUI access.

Reply

splunkreal
Motivator
‎08-05-2022 12:08 AM

Still now difficult to identify where users are connected from except if you search Splunk load balancers / web servers.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

dural_yyz
Motivator
‎08-05-2022 05:33 AM

 

index=_audit sourcetype=audittrail action IN ("login attempt" logout)
| table _time host user info reason clientip method session​

 

 

If you add a filter on the user field you can narrow down to specific account.

- clientip: source IP of connection, obviously NAT could hide the source but that's up to your network layout

- session: this is the http auth token that other users have already shown how to force delete from the system

Reply

splunkreal
Motivator
‎03-16-2021 09:12 AM

This should be implemented in Splunk GUI 🙂

* If this helps, please upvote or accept solution if it solved *
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top