Security

How do I restrict the number of concurrent logins?

Motivator

Hi,

Is there any configuration that can set the maximum number of concurrent logins for SplunkWeb?
e.g. I don't want many users to log in as admin.

Thanks,

Tags (2)
1 Solution

Builder

As far as I'm aware there's no way to do this in Splunk itself. You should be able to do this with something like an F5 LTM/APM married up with an iRule to limit concurrent sessions, but from what you've said I doubt this is what you're after.

This sounds like a scaling or user management issue rather than a technical one. Is there any reason why you want to limit admin users in particular?

Cheers,

RT

View solution in original post

New Member

Hi All,
Just a quick check of anyone has successfully solve this issue based on current version 6.3

James

0 Karma

Contributor

Nope. Concurrent users aren't a metric Splunk really cares about. Recall that if a user is logged in and sitting on a Splunk dashboard or the S&R app and not doing anything other than looking at the results of a search or of a view that has already completed loading, there is no "load" on Splunk for that user. It is only when the user is executing searches or loading dashboards that they are generating search load.

Note that with recent versions of Splunk, as a user types in SPL, there is a small amount of "typeahead" load that is generated as Splunk tries to help out the user with Splunk command syntax and search through the users history attempting to match previous searches.

0 Karma

Splunk Employee
Splunk Employee

If you're interested in looking up who is logged in, you could use the following search "index=_internal sourcetype="splunk_web_access" user!="-" |transaction user | where mvcount(clientip) > 1 | table user clientip" to determine how many sessions are logged in with a single account. Depending on your enterprise setup, you could also do a lookup by IP to determine who is logged in from which workstation.

0 Karma

Builder

As far as I'm aware there's no way to do this in Splunk itself. You should be able to do this with something like an F5 LTM/APM married up with an iRule to limit concurrent sessions, but from what you've said I doubt this is what you're after.

This sounds like a scaling or user management issue rather than a technical one. Is there any reason why you want to limit admin users in particular?

Cheers,

RT

View solution in original post

Builder

I'm currently doing user planning for a distributed deployment now so I feel your pain. Best of luck.

0 Karma

Motivator

Thank you for your comment.
As you guessed, I need to limit a certain number of users because the sizing of Splunk and hardware as well as whole network need to be under control. There is no ongoing issue, but I simply need the feature as a system requirement.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!