Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a splunk alert if the user login to splunk via local credential using Splunk login type?

mala_fmr
Engager
‎11-03-2022 10:43 AM

Hi, 

We have 2 Splunk authentication systems - SAML,Splunk (default). We wanted to have an alert, if the user login to Splunk via "Splunk" authentication system.

Is there way to do that? Can we do this via Splunk query?
need help on this.

Thanks,

Mala S

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-03-2022 12:47 PM

That's in the audit logs.

index=_audit info=succeeded method=Splunk user!=internal_observability
---
If this reply helps you, Karma would be appreciated.
Reply

starcher
Influencer
‎11-04-2022 05:18 AM

with some cleanup since Splunk can't onboard their own audit logs.

index=_audit info=succeeded method=Splunk user!=internal_observability
| rename useragent as http_user_agent
| eval signature=reason." local splunk user login", src=coalesce(clientip,"unknown"), session_id=session
| iplocation prefix=src_ src
0 Karma
Reply
Get Updates on the Splunk Community!

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...