index=_internal sourcetype=splunkd_ui_access | stats count by clientip , user , _time | lookup dnslookup clientip | timechart distinct_count(clienthost) by clienthost span=1d limit=100
This command worked very well
I use almost the same way you did to build your APP.
Does it compatible with SHC ?
I´m very much concerned about how disk consumption is growing with the artifacts replication in a SHC environment.
Below is a list of dashs I´m trying to get done usin my spare time :
- individual disk usage (searchable UI) and top disk usage users
- alert on artifacs with an expiration time of X hours and more than X MBs
- SHC artifacs replication and configuration sync status among Search Heads
- per search head total disk usage historical usage curve and a "prediction" of how much disk will be needed in X months/days
- alert for a threshold on free disk space X growth percentage
Take these as a suggestion to be added to your app or point me out any APPs that maybe
already accomplishing doing at least part of it.
Another alternative to show who has logged in during the last hour and is still logged in now:
index=_internal (action=login OR action=logout) sourcetype="splunk_web_service" earliest=-1h | stats first(action) as currentstate by user | where currentstate="login"
How about this?
Seems to work for me and aside from users currently logged-in, tracks also the times when a user logged-in or logged-off:
index=_internal source="*web_access.log" user!="-" |eval status=if(count < 1,0,1)| timechart max(status) by user
I did like this as well.
But is there an easy way to get row as user and column as time?
If I do:
index=_internal source="*web_access.log" user!="-" | eval status=if(count < 1,0,1) | timechart max(status) by user | transpose
Its close to correct, except column header becomes row1 row2 etc, not the time?
How to fix that?
Kinda neat. It gets a cumbersome if more than a few users are logged in or searching over a long time period, but I like it. If you just want to count users change "timechart" to "stats".
You can find logout message in web_service.log
2010-06-27 04:21:40,855 INFO [4d416354d820e7f350] account:237 - user=matt action=logout status=success reason=user-initiated useragent="Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:126.96.36.199) Gecko/20091102 Firefox/3.5.5" clientip=188.8.131.52
Under the 'status' dropdown in the Search app (if you are using 4.1+), you can slide out the 'Search Activity' submenu, and select "UI Activity". This shows you people who are accessing splunk via the web interface.
It doesn't really show you if they are actually doing something at that very moment, but you can narrow your list of people whom you need to call before doing maintenance...
You can also get some information by searching some internal splunk logs:
Based on web access to splunkd web (ip address only)
index=_internal source="*web_access.log" earliest=-15m | top clientip
User based on interactive searches:
index=_internal source=searches | top user
User logins based on audit logs:
index=_audit action="login attempt" "info=succeeded"
There doesn't seem to be any audit of any logout events, unfortunately.