Is there a search that shows all of the users that are logged in to my Splunk instance right now?
I have some searches (via index=_audit) that show which users have logged on successfully but it would be good to be able to see at any time those who are currently logged in using Splunk.
Any help would be much appreciated.
Thanks in advance.
I use this:
index=_audit NOT user="n/a" NOT user="splunk-system-user" NOT "scheduler__nobody__search" | stats max(timestamp) by user
It may not be the best, but it gives me an idea who's in the system and the last action they took. Useful when you need to do stealth restarts in production 🙂
The problem with this search is that it shows users who have not logged in -- for example, audit records that track saved searches run for a particular user.
I have not figured out a way to screen those out, because if the action is 'search' you can't use that to screen them because a logged-in user can also have audit records that have that action.
@wrangler2x: I think adding savedsearch_name="" to the query above would address your valid concerns about saved searches that automatically run for certain user accounts. That particular field should be non-empty if it is really a saved search.
Another approach, is to look at who is currently authenticated to your
splunkd process. This isn't a really a search, but it may give you the info you are looking for.
Note the "userName" field.
You can make it into a search like this:
| rest /services/authentication/httpauth-tokens splunk_server=local | stats max(updated) by userName
Very interesting. Looking at it though, it seems that 'updated' is not very helpful... it seems to always reflect the current time. I think the more interesting field is max(timeAccessed) because it appears to reflect actual last usage.
I also have another search I have been using with some success:
index="audit" [search index=internal source="*web_access.log" user!="-" | stats by user | fields user] | search action="search" OR action="rtsearch" | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user