I'd like to see a search that will show me who is logged in currently. Anyone know how to do this?
As far as using a search to do it, the simplest way is to search for this over something like the last 5 minutes or 30 minutes:
index=_audit | timechart count by user
the audit log ultimately will show users searching, logging-in, and doing things in manager.
(to see these categories themselves search for index=_audit | timechart count by action )
index=_audit | timechart count by action
and to get to the harder bottom line of who has active authTokens, the rest endpoint Simeon mentioned gives the only concrete answer as far as I know --
View solution in original post
Per another thread:
You can check the HTTP auth tokens endpoint to see the session keys that are valid and can be used to access splunkd.