Can you please tell us how to find how many users are logged into Splunk and what are all the activities they performed (user activity history like dashboards created, executed searches, created alerts...etc) over the period in Splunk Web UI. Also please tell us, how to find number of logged in users in Splunk Web UI.
The Distributed Management Console has some interesting stats on the search activity, but you can turn to the _internal index and use the REST API to gather other info. For instance:
| rest /services/authentication/httpauth-tokens | search (NOT userName="splunk-system-user") searchId="" | table userName splunk_server timeAccessed
This will show you userid's that were authorized during a login process rather than a search (hence the blank searchId) running under a user id.
Here is the rest of REST: http://docs.splunk.com/Documentation/Splunk/6.2.2/RESTREF/RESTprolog
As for looking at what people are doing, you can utilize Splunk's own web access logs:
index=_internal source=*web_access.log* /app/ | rex "GET\s\/[^\/]+\/app\/(?P<app>[^\/]+)\/(?P<view>[^\s|?]+) " | search app=* view=*| stats count by user app view
There are also a few Apps on splunkbase.splunk.com that might be helpful things to look at and steal from to create your ultimate "Big Brother" app...
X-Ray Splunk Knowledge Objects comes to mind.
That's more about who is using what (what eventtypes, macros, savedsearches) to build out their use cases, than what specific activity is happening... but it's a good way to know what to look for in the logs.
Also, if you note the related questions over on the right hand sidebar, you'll probably find other approaches as well.
Thanks, seems provided query giving error for me, can you please provide the working query.
Just to provide a working example:
index=internal source=*webaccess.log* /app/ | rex field=raw "8000\/[^\/]+\/app\/(?P<appname>[^\/]+)\/(?P
Works for me.
sorry about that. I originally had a non capturing group where the value of 'app' was. I made it a capturing group and now the field 'app' is extracted. the error was because app did not exist. I didn't see your comment...two years ago. apologies.