Security
Highlighted

How to find how many users are logged into Splunk and history of all their activities performed in Splunk Web?

Builder

Can you please tell us how to find how many users are logged into Splunk and what are all the activities they performed (user activity history like dashboards created, executed searches, created alerts...etc) over the period in Splunk Web UI. Also please tell us, how to find number of logged in users in Splunk Web UI.

0 Karma
Highlighted

Re: How to find how many users are logged into Splunk and history of all their activities performed in Splunk Web?

Splunk Employee
Splunk Employee

The Distributed Management Console has some interesting stats on the search activity, but you can turn to the _internal index and use the REST API to gather other info. For instance:

| rest /services/authentication/httpauth-tokens | search (NOT userName="splunk-system-user") searchId="" | table userName splunk_server timeAccessed

This will show you userid's that were authorized during a login process rather than a search (hence the blank searchId) running under a user id.

Here is the rest of REST: http://docs.splunk.com/Documentation/Splunk/6.2.2/RESTREF/RESTprolog

As for looking at what people are doing, you can utilize Splunk's own web access logs:

index=_internal source=*web_access.log* /app/   | rex "GET\s\/[^\/]+\/app\/(?P<app>[^\/]+)\/(?P<view>[^\s|?]+) "  | search app=* view=*| stats count by user app view

There are also a few Apps on splunkbase.splunk.com that might be helpful things to look at and steal from to create your ultimate "Big Brother" app...
X-Ray Splunk Knowledge Objects comes to mind.
https://splunkbase.splunk.com/app/1259/
That's more about who is using what (what eventtypes, macros, savedsearches) to build out their use cases, than what specific activity is happening... but it's a good way to know what to look for in the logs.

Also, if you note the related questions over on the right hand sidebar, you'll probably find other approaches as well.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Highlighted

Re: How to find how many users are logged into Splunk and history of all their activities performed in Splunk Web?

Builder

Thanks, seems provided query giving error for me, can you please provide the working query.

0 Karma
Highlighted

Re: How to find how many users are logged into Splunk and history of all their activities performed in Splunk Web?

Path Finder

Just to provide a working example:
index=internal source=*webaccess.log* /app/ | rex field=raw "8000\/[^\/]+\/app\/(?P<appname>[^\/]+)\/(?P[^\s|?]+)" | search appname=* view=*| stats count by user appname view
Works for me.

0 Karma
Highlighted

Re: How to find how many users are logged into Splunk and history of all their activities performed in Splunk Web?

Splunk Employee
Splunk Employee

sorry about that. I originally had a non capturing group where the value of 'app' was. I made it a capturing group and now the field 'app' is extracted. the error was because app did not exist. I didn't see your comment...two years ago. apologies.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma