Splunk Search
Highlighted

Users who are logged in right now

Motivator

Hey,

Is there a search that shows all of the users that are logged in to my Splunk instance right now?

I have some searches (via index=_audit) that show which users have logged on successfully but it would be good to be able to see at any time those who are currently logged in using Splunk.

Any help would be much appreciated.

Thanks in advance.

Highlighted

Re: Users who are logged in right now

Builder

I use this:

 index=_audit  NOT user="n/a" NOT user="splunk-system-user" NOT "scheduler__nobody__search" | stats max(timestamp) by user

It may not be the best, but it gives me an idea who's in the system and the last action they took. Useful when you need to do stealth restarts in production 🙂

Brian

View solution in original post

Highlighted

Re: Users who are logged in right now

Motivator

I forgot about this question. I ended up writing a similar search that does the job

0 Karma
Highlighted

Re: Users who are logged in right now

Motivator

The problem with this search is that it shows users who have not logged in -- for example, audit records that track saved searches run for a particular user.

I have not figured out a way to screen those out, because if the action is 'search' you can't use that to screen them because a logged-in user can also have audit records that have that action.

Highlighted

Re: Users who are logged in right now

Explorer

@wrangler2x: I think adding savedsearch_name="" to the query above would address your valid concerns about saved searches that automatically run for certain user accounts. That particular field should be non-empty if it is really a saved search.

0 Karma
Highlighted

Re: Users who are logged in right now

Super Champion

Another approach, is to look at who is currently authenticated to your splunkd process. This isn't a really a search, but it may give you the info you are looking for.

https://your-splunk-server:8089/services/authentication/httpauth-tokens

Note the "userName" field.

Highlighted

Re: Users who are logged in right now

Path Finder

You can make it into a search like this:

| rest /services/authentication/httpauth-tokens splunk_server=local | stats max(updated) by userName
Highlighted

Re: Users who are logged in right now

Motivator

Very interesting. Looking at it though, it seems that 'updated' is not very helpful... it seems to always reflect the current time. I think the more interesting field is max(timeAccessed) because it appears to reflect actual last usage.

I also have another search I have been using with some success:

index="audit" [search index=internal source="*web_access.log" user!="-" | stats by user | fields user] | search action="search" OR action="rtsearch" | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user

Highlighted

Re: Users who are logged in right now

Explorer

Thanks wrangler2x, this is exactly what I needed!

0 Karma
Highlighted

Re: Users who are logged in right now

Path Finder

index=audit NOT user="n/a" NOT user="splunk-system-user" NOT "schedulernobodysearch" | stats max(timestamp) by user

0 Karma