Security

Is there a way to find the number of UI users logged into Splunk at any given time?

Splunk Employee
Splunk Employee

I'd like to see a search that will show me who is logged in currently. Anyone know how to do this?

Tags (3)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

As far as using a search to do it, the simplest way is to search for this over something like the last 5 minutes or 30 minutes:

index=_audit | timechart count by user

the audit log ultimately will show users searching, logging-in, and doing things in manager.
(to see these categories themselves search for index=_audit | timechart count by action )

and to get to the harder bottom line of who has active authTokens, the rest endpoint Simeon mentioned gives the only concrete answer as far as I know --

https://splunk-server:8089/services/admin/httpauth-tokens

View solution in original post

SplunkTrust
SplunkTrust

As far as using a search to do it, the simplest way is to search for this over something like the last 5 minutes or 30 minutes:

index=_audit | timechart count by user

the audit log ultimately will show users searching, logging-in, and doing things in manager.
(to see these categories themselves search for index=_audit | timechart count by action )

and to get to the harder bottom line of who has active authTokens, the rest endpoint Simeon mentioned gives the only concrete answer as far as I know --

https://splunk-server:8089/services/admin/httpauth-tokens

View solution in original post

Splunk Employee
Splunk Employee

Per another thread:

You can check the HTTP auth tokens endpoint to see the session keys that are valid and can be used to access splunkd.

https://splunk-server:8089/services/admin/httpauth-tokens

http://answers.splunk.com/questions/3768/how-do-you-find-out-who-is-logged-onto-splunk-right-now

0 Karma