Security

How do I restrict the number of concurrent logins?

melonman
Motivator

Hi,

Is there any configuration that can set the maximum number of concurrent logins for SplunkWeb?
e.g. I don't want many users to log in as admin.

Thanks,

Tags (2)
1 Solution

rturk
Builder

As far as I'm aware there's no way to do this in Splunk itself. You should be able to do this with something like an F5 LTM/APM married up with an iRule to limit concurrent sessions, but from what you've said I doubt this is what you're after.

This sounds like a scaling or user management issue rather than a technical one. Is there any reason why you want to limit admin users in particular?

Cheers,

RT

View solution in original post

leesiangfong
New Member

Hi All,
Just a quick check of anyone has successfully solve this issue based on current version 6.3

James

0 Karma

davidpaper
Contributor

Nope. Concurrent users aren't a metric Splunk really cares about. Recall that if a user is logged in and sitting on a Splunk dashboard or the S&R app and not doing anything other than looking at the results of a search or of a view that has already completed loading, there is no "load" on Splunk for that user. It is only when the user is executing searches or loading dashboards that they are generating search load.

Note that with recent versions of Splunk, as a user types in SPL, there is a small amount of "typeahead" load that is generated as Splunk tries to help out the user with Splunk command syntax and search through the users history attempting to match previous searches.

0 Karma

jhritz
Splunk Employee
Splunk Employee

If you're interested in looking up who is logged in, you could use the following search "index=_internal sourcetype="splunk_web_access" user!="-" |transaction user | where mvcount(clientip) > 1 | table user clientip" to determine how many sessions are logged in with a single account. Depending on your enterprise setup, you could also do a lookup by IP to determine who is logged in from which workstation.

0 Karma

rturk
Builder

As far as I'm aware there's no way to do this in Splunk itself. You should be able to do this with something like an F5 LTM/APM married up with an iRule to limit concurrent sessions, but from what you've said I doubt this is what you're after.

This sounds like a scaling or user management issue rather than a technical one. Is there any reason why you want to limit admin users in particular?

Cheers,

RT

View solution in original post

rturk
Builder

I'm currently doing user planning for a distributed deployment now so I feel your pain. Best of luck.

0 Karma

melonman
Motivator

Thank you for your comment.
As you guessed, I need to limit a certain number of users because the sizing of Splunk and hardware as well as whole network need to be under control. There is no ongoing issue, but I simply need the feature as a system requirement.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!