- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Is it possible to tell if users are online before ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to query for online users via CLI, not through SPL? I reboot frequently and want my reboot shell script to say "WARNING: (1) users are online. Are you sure you want to reboot?"
Currently I go run a SPL search every time I reboot to make sure nobody is online, which is a huge pain
Or am limited to doing this with Python SDK?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can search from the CLI, but you'll still have to use SPL:
https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/SearchReference/CLIsearchsyntax
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can search from the CLI, but you'll still have to use SPL:
https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/SearchReference/CLIsearchsyntax
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I should have clarified, I am fine doing it through SPL, I just didn't want to do it through the search UI.
I didn't use the Python SDK to do write this, just did it in normal Python (my bash scripting isn't quite up to par to do this in bash):
import os
query = os.popen('/opt/splunk/bin/splunk search "search earliest=-3m latest=now \`users_online\`"').read()
if "--------" in query:
print "CAUTION: Users are online. Perform manual reboot."
else:
print "Users are not online. Rebooting"
os.system("/opt/splunk/bin/splunk stop -f && /opt/splunk/bin/splunk start")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Macro:
(index=_internal sourcetype=splunkd_ui_access uri_path="/en-US/app*") OR (index=_audit AND action="login attempt" OR (search!="" search_id!="'scheduler*" search_id!="scheduler*" search_id!="'subsearch*")) user!="splunk-system-user" user!="n/a" user!="ME" user!=testuser* user!="-" | eval sortable_time=_time | eval time=strftime(sortable_time,"%Y-%m-%d %H:%M:%S") |
streamstats count as temp_count | stats values(*) as * by temp_count | fields - temp_count | sort 0 sortable_time | dedup user | table user
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
