Splunk Search

How can I Find what system or host a user is currently logged in to?

TGel
Observer

Hi,

I am very new to Splunk.

I searched for this but, could not find a match..

Is it possible to find what system or host a user is currently logged in to?

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @TGel,

You can use this search to find the users logged in:

index=_audit NOT (user="n/a" OR user="splunk-system-user" OR user="-1" OR "scheduler__nobody__search" OR "nobody") action="login attempt" 
| join type=left user [ 
     | rest /services/authentication/users    
     | rename title As user 
     | fields user realname     
     ] 
| stats values(realname) AS RealName max(_time) AS DateTimeStart by user host
| eval DateTimeStart=strftime(DateTimeStart,"%d/%m/%Y %H.%M.%S") 
| rename user As UserName DateTimeStart AS Access host AS HostName

If instead you want the sessions, with host, you can use this:

index=_audit NOT (user="n/a" OR user="splunk-system-user" OR user="-1" OR "scheduler__nobody__search" OR "nobody") 
| join type=left user [ 
     | rest /services/authentication/users    
     | rename title As user
     | fields user realname 
     ] 
| transaction user startswith="login attempt" 
| delta _time AS TimeDelta 
| eval 
     TimeStamp=strftime(_time,"%d/%m/%Y %H.%M.%S"),      "Duration"=tostring(abs(round(if(isnull(TimeDelta),_time-now(),TimeDelta),0)),"duration"),  
     Session=if(isnull(TimeDelta),"Active","Closed") 
| table TimeStamp host user realname "Duration" Session 
| rename host AS HostName user AS User realname AS "Real Name"

Ciao.

Giuseppe

0 Karma

TGel
Observer

Thanks for the reply.  I appreciate  it!

 

Sorry, I am very new at this..

What do I do with that "search" text?

Or

How do I enter that on the splunk Search page?

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @TGel,

you have to:

  • take one of my searches,
  • define a time period using the time picker,
  • run the search,
  • if you like, you can save it a dashboard panel or a report.

I hint to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchTutorial/WelcometotheSearchTutorial) and the Splunk Fundamentals I training (https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html) to better understand how Splunk works.

You can also find interesting videos on YouTube.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...