index=_audit action="login attempt" "info=succeeded" | stats count by action , user , _time | timechart span=1d count by user

I used this

How about pulling out the host/ip from which the user is accessing Splunk ?

Leo,

I use almost the same way you did to build your APP.
Does it compatible with SHC ?

I´m very much concerned about how disk consumption is growing with the artifacts replication in a SHC environment.

Below is a list of dashs I´m trying to get done usin my spare time :
- individual disk usage (searchable UI) and top disk usage users
- alert on artifacs with an expiration time of X hours and more than X MBs
- SHC artifacs replication and configuration sync status among Search Heads
- per search head total disk usage historical usage curve and a "prediction" of how much disk will be needed in X months/days
- alert for a threshold on free disk space X growth percentage

Take these as a suggestion to be added to your app or point me out any APPs that maybe
already accomplishing doing at least part of it.

Cya.

I've put together an app that shows in real time who's logged on: Who's there
Please let me know if you have any suggestions.

Another alternative to show who has logged in during the last hour and is still logged in now:
index=_internal (action=login OR action=logout) sourcetype="splunk_web_service" earliest=-1h | stats first(action) as currentstate by user | where currentstate="login"

How about this?
Seems to work for me and aside from users currently logged-in, tracks also the times when a user logged-in or logged-off:

index=_internal source="*web_access.log" user!="-" |eval status=if(count < 1,0,1)| timechart max(status) by user

You can find logout message in web_service.log

2010-06-27 04:21:40,855 INFO [4d416354d820e7f350] account:237 - user=matt action=logout status=success reason=user-initiated useragent="Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5" clientip=101.33.11.153

Under the 'status' dropdown in the Search app (if you are using 4.1+), you can slide out the 'Search Activity' submenu, and select "UI Activity". This shows you people who are accessing splunk via the web interface.

It doesn't really show you if they are actually doing something at that very moment, but you can narrow your list of people whom you need to call before doing maintenance...

You can also get some information by searching some internal splunk logs:

1. Based on web access to splunkd web (ip address only)

   index=_internal source="*web_access.log" earliest=-15m | top clientip

2. User based on interactive searches:

   index=_internal source=searches | top user

3. User logins based on audit logs:

   index=_audit action="login attempt" "info=succeeded"

There doesn't seem to be any audit of any logout events, unfortunately.