Splunk Search

Users who are logged in right now

Ant1D
Motivator

Hey,

Is there a search that shows all of the users that are logged in to my Splunk instance right now?

I have some searches (via index=_audit) that show which users have logged on successfully but it would be good to be able to see at any time those who are currently logged in using Splunk.

Any help would be much appreciated.

Thanks in advance.

1 Solution

Brian_Osburn
Builder

I use this:

 index=_audit  NOT user="n/a" NOT user="splunk-system-user" NOT "scheduler__nobody__search" | stats max(timestamp) by user

It may not be the best, but it gives me an idea who's in the system and the last action they took. Useful when you need to do stealth restarts in production 🙂

Brian

View solution in original post

neltonk
Path Finder

index=_audit NOT user="n/a" NOT user="splunk-system-user" NOT "schedulernobody_search" | stats max(timestamp) by user

0 Karma

Lowell
Super Champion

Another approach, is to look at who is currently authenticated to your splunkd process. This isn't a really a search, but it may give you the info you are looking for.

https://your-splunk-server:8089/services/authentication/httpauth-tokens

Note the "userName" field.

wrangler2x
Motivator

Very interesting. Looking at it though, it seems that 'updated' is not very helpful... it seems to always reflect the current time. I think the more interesting field is max(timeAccessed) because it appears to reflect actual last usage.

I also have another search I have been using with some success:

index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | search action="search" OR action="rtsearch" | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user

tecooper
Explorer

Thanks wrangler2x, this is exactly what I needed!

0 Karma

kurdbahr
Path Finder

You can make it into a search like this:

| rest /services/authentication/httpauth-tokens splunk_server=local | stats max(updated) by userName

Brian_Osburn
Builder

I use this:

 index=_audit  NOT user="n/a" NOT user="splunk-system-user" NOT "scheduler__nobody__search" | stats max(timestamp) by user

It may not be the best, but it gives me an idea who's in the system and the last action they took. Useful when you need to do stealth restarts in production 🙂

Brian

jotne
Builder

I made a dashboard for this.  Works fine even in a distributed setup with many search head.

 

<form theme="dark">
  <label>Current online users</label>
  <!--
  1.0 #jotne 09.02.2021
  -->
  <search id="base_search">
    <query>
      index=_audit 
      NOT user IN (n/a splunk-system-user) 
      NOT "scheduler__nobody__search"
      host="$Server$"
      user="$User$"
      | fields timestamp host user
    </query>
  </search>
  <fieldset submitButton="false">
    <input type="time">
      <label></label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="Server">
      <label>Server</label>
      <search base="base_search">
        <query>
          | eval data=host
          | stats count by data
          | eval info=data." (".count.")"
          | sort -count
        </query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>info</fieldForLabel>
      <fieldForValue>data</fieldForValue>
      <default>*</default>
    </input>
    <input type="dropdown" token="User">
      <label>User</label>
      <search base="base_search">
        <query>
          | eval data=user
          | stats count by data
          | eval info=data." (".count.")"
          | sort -count
        </query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>info</fieldForLabel>
      <fieldForValue>data</fieldForValue>
      <default>*</default>
    </input>
    <input type="radio" token="sort">
      <label>Sort by</label>
      <choice value="host">Server</choice>
      <choice value="user">User</choice>
      <initialValue>host</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search base="base_search">
          <query>
            | timechart count by $sort$
          </query>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="height">300</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search base="base_search">
          <query>
            | stats latest(timestamp) as last_seen by user host
            | sort - last_seen</query>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
</form>

 

 

drapkin11
Explorer

@wrangler2x: I think adding savedsearch_name="" to the query above would address your valid concerns about saved searches that automatically run for certain user accounts. That particular field should be non-empty if it is really a saved search.

0 Karma

wrangler2x
Motivator

The problem with this search is that it shows users who have not logged in -- for example, audit records that track saved searches run for a particular user.

I have not figured out a way to screen those out, because if the action is 'search' you can't use that to screen them because a logged-in user can also have audit records that have that action.

Keith_wgtn
Explorer

This one seems better as it exclude scheduled searches.

index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | search action="search" OR action="rtsearch" | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user

0 Karma

Ant1D
Motivator

I forgot about this question. I ended up writing a similar search that does the job

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...