Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to tell if users are online before reboot?

nick405060
Motivator
‎12-16-2019 03:56 PM

Is it possible to query for online users via CLI, not through SPL? I reboot frequently and want my reboot shell script to say "WARNING: (1) users are online. Are you sure you want to reboot?"

Currently I go run a SPL search every time I reboot to make sure nobody is online, which is a huge pain

Or am limited to doing this with Python SDK?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martynoconnor
Communicator
‎12-17-2019 12:33 PM

You can search from the CLI, but you'll still have to use SPL:

https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/SearchReference/CLIsearchsyntax

View solution in original post

Reply
Solved! Jump to solution
Solution

martynoconnor
Communicator
‎12-17-2019 12:33 PM

You can search from the CLI, but you'll still have to use SPL:

https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/SearchReference/CLIsearchsyntax

Reply
Solved! Jump to solution

nick405060
Motivator
‎12-18-2019 11:12 AM

Thanks. I should have clarified, I am fine doing it through SPL, I just didn't want to do it through the search UI.

I didn't use the Python SDK to do write this, just did it in normal Python (my bash scripting isn't quite up to par to do this in bash):

import os

query = os.popen('/opt/splunk/bin/splunk search "search earliest=-3m latest=now \`users_online\`"').read()

if "--------" in query:
        print "CAUTION: Users are online. Perform manual reboot."
else:
        print "Users are not online. Rebooting"
        os.system("/opt/splunk/bin/splunk stop -f && /opt/splunk/bin/splunk start")
0 Karma
Reply
Solved! Jump to solution

nick405060
Motivator
‎12-18-2019 11:22 AM

Macro:

(index=_internal sourcetype=splunkd_ui_access uri_path="/en-US/app*") OR (index=_audit AND action="login attempt" OR (search!="" search_id!="'scheduler*"  search_id!="scheduler*" search_id!="'subsearch*")) user!="splunk-system-user" user!="n/a" user!="ME" user!=testuser* user!="-" | eval sortable_time=_time | eval time=strftime(sortable_time,"%Y-%m-%d %H:%M:%S") |
streamstats count as temp_count | stats values(*) as * by temp_count | fields - temp_count | sort 0 sortable_time | dedup user | table user
0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...