Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find how many users are logged into Splunk and history of all their activities performed in Splunk Web?

dhavamanis
Builder
‎04-01-2015 02:30 PM

Can you please tell us how to find how many users are logged into Splunk and what are all the activities they performed (user activity history like dashboards created, executed searches, created alerts...etc) over the period in Splunk Web UI. Also please tell us, how to find number of logged in users in Splunk Web UI.

0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎04-01-2015 05:01 PM

The Distributed Management Console has some interesting stats on the search activity, but you can turn to the _internal index and use the REST API to gather other info. For instance:

| rest /services/authentication/httpauth-tokens | search (NOT userName="splunk-system-user") searchId="" | table userName splunk_server timeAccessed

This will show you userid's that were authorized during a login process rather than a search (hence the blank searchId) running under a user id.

Here is the rest of REST: http://docs.splunk.com/Documentation/Splunk/6.2.2/RESTREF/RESTprolog

As for looking at what people are doing, you can utilize Splunk's own web access logs:

index=_internal source=*web_access.log* /app/   | rex "GET\s\/[^\/]+\/app\/(?P<app>[^\/]+)\/(?P<view>[^\s|?]+) "  | search app=* view=*| stats count by user app view

There are also a few Apps on splunkbase.splunk.com that might be helpful things to look at and steal from to create your ultimate "Big Brother" app...
X-Ray Splunk Knowledge Objects comes to mind.
https://splunkbase.splunk.com/app/1259/
That's more about who is using what (what eventtypes, macros, savedsearches) to build out their use cases, than what specific activity is happening... but it's a good way to know what to look for in the logs.

Also, if you note the related questions over on the right hand sidebar, you'll probably find other approaches as well.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Reply

dhavamanis
Builder
‎04-01-2015 08:15 PM

Thanks, seems provided query giving error for me, can you please provide the working query.

0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎07-30-2017 02:51 PM

sorry about that. I originally had a non capturing group where the value of 'app' was. I made it a capturing group and now the field 'app' is extracted. the error was because app did not exist. I didn't see your comment...two years ago. apologies.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply

mlorch
Path Finder
‎06-22-2015 06:16 AM

Just to provide a working example:
index=_internal source=web_access.log /app/ | rex field=_raw "8000\/[^\/]+\/app\/(?P[^\/]+)\/(?P[^\s|?]+)" | search app_name=* view=*| stats count by user app_name view
Works for me.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...