I suppose OP wants a lis of active logged in sessions on a particular SH.

You can get that (and the query used to populate the table) in the monitoring console -> search -> activity (or something like that)

Yes, thats right.

I am workinng on sizing Splunk instances in AWS to migrate our current on-prem platform to AWS and was referring this guide It mentions about concurrent Splunk users. Hence, why I am trying to figure out where/how I can find that info.

I checked where you mentioned, but it mainly shows concurrent searches, not users.

Hi

I'm afraid that you cannot get exact numbers of concurrent users in any particular time from splunk. You could try to get some information about it to look those searches etc. from audit trail, but it never told that concurrent user amount. Fortunately you don't need that for sizing your AWS splunk environment 😉

More important information is concurrent searches than users. And that you can see from MC. On MC you also see how well your current environment is working with current load. Of course there are many things what you must check, but one which you must check is MC -> Searches -> Scheduler Activity. That tolds to you how much you need cores etc. to fulfil your current needs. Look Skipped and Deferred items there.

r. Ismo

That's correct. I was writing from memory. Apparently it fooled me 😉

You should be able to get list of searches from _internal index and check how many users issued those searches during some time. That's one of possible approaches.