Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I Find what system or host a user is currently logged in to?

TGel
Observer
‎04-20-2021 06:52 AM

Hi,

I am very new to Splunk.

I searched for this but, could not find a match..

Is it possible to find what system or host a user is currently logged in to?

 

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-20-2021 07:37 AM

Hi @TGel,

You can use this search to find the users logged in:

index=_audit NOT (user="n/a" OR user="splunk-system-user" OR user="-1" OR "scheduler__nobody__search" OR "nobody") action="login attempt" 
| join type=left user [ 
     | rest /services/authentication/users    
     | rename title As user 
     | fields user realname     
     ] 
| stats values(realname) AS RealName max(_time) AS DateTimeStart by user host
| eval DateTimeStart=strftime(DateTimeStart,"%d/%m/%Y %H.%M.%S") 
| rename user As UserName DateTimeStart AS Access host AS HostName

If instead you want the sessions, with host, you can use this:

index=_audit NOT (user="n/a" OR user="splunk-system-user" OR user="-1" OR "scheduler__nobody__search" OR "nobody") 
| join type=left user [ 
     | rest /services/authentication/users    
     | rename title As user
     | fields user realname 
     ] 
| transaction user startswith="login attempt" 
| delta _time AS TimeDelta 
| eval 
     TimeStamp=strftime(_time,"%d/%m/%Y %H.%M.%S"),      "Duration"=tostring(abs(round(if(isnull(TimeDelta),_time-now(),TimeDelta),0)),"duration"),  
     Session=if(isnull(TimeDelta),"Active","Closed") 
| table TimeStamp host user realname "Duration" Session 
| rename host AS HostName user AS User realname AS "Real Name"

Ciao.

Giuseppe

0 Karma
Reply

TGel
Observer
‎04-20-2021 07:47 AM

Thanks for the reply.  I appreciate  it!

 

Sorry, I am very new at this..

What do I do with that "search" text?

Or

How do I enter that on the splunk Search page?

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-20-2021 09:23 AM

Hi @TGel,

you have to:

  • take one of my searches,
  • define a time period using the time picker,
  • run the search,
  • if you like, you can save it a dashboard panel or a report.

I hint to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchTutorial/WelcometotheSearchTutorial) and the Splunk Fundamentals I training (https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html) to better understand how Splunk works.

You can also find interesting videos on YouTube.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...