Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to inform the splunk users of a maintenance in splunk ?

mataharry
Communicator
‎02-18-2014 12:34 PM

I have to do some maintenances in splunk and want to warn the users that splunk will be down.

  • How to get the list of active users logged in ?
  • There is a message bar, can I post messages to it ?
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-18-2014 12:40 PM

This should give you currently logged in users. (have some extra parts to get roles of logged in users)

| rest /services/authentication/httpauth-tokens | search (NOT userName="splunk-system-user") searchId="" 
| table userName splunk_server timeAccessed |join type=left userName [| rest /services/authentication/users splunk_server=local 
|fields title roles realname|rename title as userName|rename realname as Name]
|rename userName as User |rename splunk_server as "Splunk Server"|rename timeAccessed as "Time Accessed"|rename roles as Role
|table User,"Splunk Server",Name,Role

To send a message to all logged in users, go to
Manager » User interface » Bulletin Messages and add a new bulletin message. Once Maintenance is done delete the message.

View solution in original post

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎02-18-2014 12:40 PM

You can post with the Rest endpoint, and an admin user.

# post maintenance message on a search-head

curl -k -u admin:changeme https://mysplunkinstance.domain.com:8089/services/messages -d severity="warn" -d name=message -d value="This is your Splunk Admin, there will be a maintenance of this instance in 10 minutes -> 15:00 , ETA of 30 minutes -> 15:30, for updates contact me at YourFriendlyNeighborhoodAdmin@mydomain.com"

To the list of the active users, check the SOS dashboard or this search over last hour.


earliest=-1h index=_internal source="*web_access.log*"
| rex "\d+\.\d+\.\d+\.\d+ - (?<user>\w+)"
| fillnull user value="missing"
| stats first(_time) AS "last_activity" by user
| convert ctime(last_activity)

Reply
Solved! Jump to solution

mataharry
Communicator
‎02-18-2014 12:43 PM

so the curl command allows to specify the severity.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-18-2014 12:40 PM

This should give you currently logged in users. (have some extra parts to get roles of logged in users)

| rest /services/authentication/httpauth-tokens | search (NOT userName="splunk-system-user") searchId="" 
| table userName splunk_server timeAccessed |join type=left userName [| rest /services/authentication/users splunk_server=local 
|fields title roles realname|rename title as userName|rename realname as Name]
|rename userName as User |rename splunk_server as "Splunk Server"|rename timeAccessed as "Time Accessed"|rename roles as Role
|table User,"Splunk Server",Name,Role

To send a message to all logged in users, go to
Manager » User interface » Bulletin Messages and add a new bulletin message. Once Maintenance is done delete the message.

Reply
Solved! Jump to solution

mataharry
Communicator
‎02-18-2014 12:42 PM

nice, I never saw the manager interface.

Reply
Get Updates on the Splunk Community!

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...
Top