Security

How do you find out who is logged onto Splunk right now?

Path Finder

I'm trying to find a way to see, at any given point in time, what users are actually logged into Splunk. (At least how many) Does anyone have any suggestions? Thanks!

Tags (2)
1 Solution

Splunk Employee
Splunk Employee

You can check the HTTP auth tokens endpoint to see the session keys that are valid and can be used to access splunkd.

https://splunk-server:8089/services/admin/httpauth-tokens

View solution in original post

Motivator

index=_internal sourcetype=splunkd_ui_access | stats count by clientip , user , _time | lookup dnslookup clientip | timechart distinct_count(clienthost) by clienthost span=1d limit=100

This command worked very well

0 Karma

Motivator

index=_audit action="login attempt" "info=succeeded" | stats count by action , user , _time | timechart span=1d count by user

I used this

0 Karma

New Member

How about pulling out the host/ip from which the user is accessing Splunk ?

0 Karma

Path Finder

Leo,

I use almost the same way you did to build your APP.
Does it compatible with SHC ?

I´m very much concerned about how disk consumption is growing with the artifacts replication in a SHC environment.

Below is a list of dashs I´m trying to get done usin my spare time :
- individual disk usage (searchable UI) and top disk usage users
- alert on artifacs with an expiration time of X hours and more than X MBs
- SHC artifacs replication and configuration sync status among Search Heads
- per search head total disk usage historical usage curve and a "prediction" of how much disk will be needed in X months/days
- alert for a threshold on free disk space X growth percentage

Take these as a suggestion to be added to your app or point me out any APPs that maybe
already accomplishing doing at least part of it.

Cya.

0 Karma

Splunk Employee
Splunk Employee

I've put together an app that shows in real time who's logged on: Who's there
Please let me know if you have any suggestions.

0 Karma

Splunk Employee
Splunk Employee

Another alternative to show who has logged in during the last hour and is still logged in now:
index=_internal (action=login OR action=logout) sourcetype="splunk_web_service" earliest=-1h | stats first(action) as currentstate by user | where currentstate="login"

0 Karma

Path Finder

How about this?
Seems to work for me and aside from users currently logged-in, tracks also the times when a user logged-in or logged-off:

index=_internal source="*web_access.log" user!="-" |eval status=if(count < 1,0,1)| timechart max(status) by user

Builder

I did like this as well.
But is there an easy way to get row as user and column as time?
If I do:

index=_internal source="*web_access.log" user!="-" 
| eval status=if(count < 1,0,1)
| timechart max(status) by user 
| transpose

Its close to correct, except column header becomes row1 row2 etc, not the time?
How to fix that?

0 Karma

Super Champion

nice one. variety one.
Based on this the timechart looks very good and stacked one quite cool. cheers for this

0 Karma

Explorer

perfect man it works 🙂

0 Karma

Communicator

Kinda neat. It gets a cumbersome if more than a few users are logged in or searching over a long time period, but I like it. If you just want to count users change "timechart" to "stats".

0 Karma

Splunk Employee
Splunk Employee

You can find logout message in web_service.log

2010-06-27 04:21:40,855 INFO [4d416354d820e7f350] account:237 - user=matt action=logout status=success reason=user-initiated useragent="Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5" clientip=101.33.11.153

Communicator

Under the 'status' dropdown in the Search app (if you are using 4.1+), you can slide out the 'Search Activity' submenu, and select "UI Activity". This shows you people who are accessing splunk via the web interface.

It doesn't really show you if they are actually doing something at that very moment, but you can narrow your list of people whom you need to call before doing maintenance...

Super Champion

You can also get some information by searching some internal splunk logs:

  1. Based on web access to splunkd web (ip address only)

    index=_internal source="*web_access.log" earliest=-15m | top clientip

  2. User based on interactive searches:

    index=_internal source=searches | top user

  3. User logins based on audit logs:

    index=_audit action="login attempt" "info=succeeded"

There doesn't seem to be any audit of any logout events, unfortunately.

Splunk Employee
Splunk Employee

You can check the HTTP auth tokens endpoint to see the session keys that are valid and can be used to access splunkd.

https://splunk-server:8089/services/admin/httpauth-tokens

View solution in original post

Path Finder

Using the same interface in a Splunk search:

| rest /services/authentication/httpauth-tokens splunk_server=local | stats max(updated) by userName
0 Karma