Hey,
Is there a search that shows all of the users that are logged in to my Splunk instance right now?
I have some searches (via index=_audit) that show which users have logged on successfully but it would be good to be able to see at any time those who are currently logged in using Splunk.
Any help would be much appreciated.
Thanks in advance.
I use this:
index=_audit NOT user="n/a" NOT user="splunk-system-user" NOT "scheduler__nobody__search" | stats max(timestamp) by user
It may not be the best, but it gives me an idea who's in the system and the last action they took. Useful when you need to do stealth restarts in production 🙂
Brian
index=_audit NOT user="n/a" NOT user="splunk-system-user" NOT "schedulernobody_search" | stats max(timestamp) by user
Another approach, is to look at who is currently authenticated to your splunkd
process. This isn't a really a search, but it may give you the info you are looking for.
https://your-splunk-server:8089/services/authentication/httpauth-tokens
Note the "userName" field.
Very interesting. Looking at it though, it seems that 'updated' is not very helpful... it seems to always reflect the current time. I think the more interesting field is max(timeAccessed) because it appears to reflect actual last usage.
I also have another search I have been using with some success:
index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | search action="search" OR action="rtsearch" | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user
Thanks wrangler2x, this is exactly what I needed!
You can make it into a search like this:
| rest /services/authentication/httpauth-tokens splunk_server=local | stats max(updated) by userName
I use this:
index=_audit NOT user="n/a" NOT user="splunk-system-user" NOT "scheduler__nobody__search" | stats max(timestamp) by user
It may not be the best, but it gives me an idea who's in the system and the last action they took. Useful when you need to do stealth restarts in production 🙂
Brian
I made a dashboard for this. Works fine even in a distributed setup with many search head.
<form theme="dark">
<label>Current online users</label>
<!--
1.0 #jotne 09.02.2021
-->
<search id="base_search">
<query>
index=_audit
NOT user IN (n/a splunk-system-user)
NOT "scheduler__nobody__search"
host="$Server$"
user="$User$"
| fields timestamp host user
</query>
</search>
<fieldset submitButton="false">
<input type="time">
<label></label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="Server">
<label>Server</label>
<search base="base_search">
<query>
| eval data=host
| stats count by data
| eval info=data." (".count.")"
| sort -count
</query>
</search>
<choice value="*">Any</choice>
<fieldForLabel>info</fieldForLabel>
<fieldForValue>data</fieldForValue>
<default>*</default>
</input>
<input type="dropdown" token="User">
<label>User</label>
<search base="base_search">
<query>
| eval data=user
| stats count by data
| eval info=data." (".count.")"
| sort -count
</query>
</search>
<choice value="*">Any</choice>
<fieldForLabel>info</fieldForLabel>
<fieldForValue>data</fieldForValue>
<default>*</default>
</input>
<input type="radio" token="sort">
<label>Sort by</label>
<choice value="host">Server</choice>
<choice value="user">User</choice>
<initialValue>host</initialValue>
</input>
</fieldset>
<row>
<panel>
<chart>
<search base="base_search">
<query>
| timechart count by $sort$
</query>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="height">300</option>
</chart>
</panel>
</row>
<row>
<panel>
<table>
<search base="base_search">
<query>
| stats latest(timestamp) as last_seen by user host
| sort - last_seen</query>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="user">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
</table>
</panel>
</row>
</form>
@wrangler2x: I think adding savedsearch_name="" to the query above would address your valid concerns about saved searches that automatically run for certain user accounts. That particular field should be non-empty if it is really a saved search.
The problem with this search is that it shows users who have not logged in -- for example, audit records that track saved searches run for a particular user.
I have not figured out a way to screen those out, because if the action is 'search' you can't use that to screen them because a logged-in user can also have audit records that have that action.
This one seems better as it exclude scheduled searches.
index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | search action="search" OR action="rtsearch" | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user
I forgot about this question. I ended up writing a similar search that does the job