Hi,
I am very new to Splunk.
I searched for this but, could not find a match..
Is it possible to find what system or host a user is currently logged in to?
Hi @TGel,
You can use this search to find the users logged in:
index=_audit NOT (user="n/a" OR user="splunk-system-user" OR user="-1" OR "scheduler__nobody__search" OR "nobody") action="login attempt"
| join type=left user [
| rest /services/authentication/users
| rename title As user
| fields user realname
]
| stats values(realname) AS RealName max(_time) AS DateTimeStart by user host
| eval DateTimeStart=strftime(DateTimeStart,"%d/%m/%Y %H.%M.%S")
| rename user As UserName DateTimeStart AS Access host AS HostName
If instead you want the sessions, with host, you can use this:
index=_audit NOT (user="n/a" OR user="splunk-system-user" OR user="-1" OR "scheduler__nobody__search" OR "nobody")
| join type=left user [
| rest /services/authentication/users
| rename title As user
| fields user realname
]
| transaction user startswith="login attempt"
| delta _time AS TimeDelta
| eval
TimeStamp=strftime(_time,"%d/%m/%Y %H.%M.%S"), "Duration"=tostring(abs(round(if(isnull(TimeDelta),_time-now(),TimeDelta),0)),"duration"),
Session=if(isnull(TimeDelta),"Active","Closed")
| table TimeStamp host user realname "Duration" Session
| rename host AS HostName user AS User realname AS "Real Name"
Ciao.
Giuseppe
Thanks for the reply. I appreciate it!
Sorry, I am very new at this..
What do I do with that "search" text?
Or
How do I enter that on the splunk Search page?
Hi @TGel,
you have to:
I hint to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchTutorial/WelcometotheSearchTutorial) and the Splunk Fundamentals I training (https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html) to better understand how Splunk works.
You can also find interesting videos on YouTube.
Ciao.
Giuseppe