Splunk Search
Highlighted

In a search head cluster, how do I search users that have logged in the last 30 minutes, on what cluster member, and what kind of searches they are running?

Path Finder

What setup is required and what will be the search so that I can find out,

  1. Who all have logged in to the system in the last 30 minutes
  2. what kind of searches they are running
  3. which search head (I've three in my cluster) these users were connected/logged in to

thanks, ronak

0 Karma
Highlighted

Re: In a search head cluster, how do I search users that have logged in the last 30 minutes, on what cluster member, and what kind of searches they are running?

Influencer

Start here

For users logged in, and search head they are in


index=internal sourcetype=splunkwebaccess | dedup host USER | table host USER

For the searches issued..


index=internal sourcetype=splunkdremote_searches

Cross check the sourcetypes for the exact naming..

0 Karma
Highlighted

Re: In a search head cluster, how do I search users that have logged in the last 30 minutes, on what cluster member, and what kind of searches they are running?

Explorer

sourcetype of splunk_webaccess at least in 6.3.3 version isn't available..

0 Karma
Highlighted

Re: In a search head cluster, how do I search users that have logged in the last 30 minutes, on what cluster member, and what kind of searches they are running?

Path Finder

verified 6.5.3
index=internal sourcetype=splunkduiaccess | dedup host user | table host user _time reqtime

0 Karma
Highlighted

Re: In a search head cluster, how do I search users that have logged in the last 30 minutes, on what cluster member, and what kind of searches they are running?

Builder

If you have an indexer cluster -> You should have all this info in the Distributed Management Console on the Cluster Master.

0 Karma
Highlighted

Re: In a search head cluster, how do I search users that have logged in the last 30 minutes, on what cluster member, and what kind of searches they are running?

Path Finder

where it that in DMC?

0 Karma
Highlighted

Re: In a search head cluster, how do I search users that have logged in the last 30 minutes, on what cluster member, and what kind of searches they are running?

Path Finder

splunkwebaccess -> splunkui_access

logged in users
index=internal sourcetype=splunkduiaccess | dedup host user | table host user _time reqtime
logged in users rolling time

index=internal sourcetype=splunkduiaccess | table host user _time reqtime