You can check the HTTP auth tokens endpoint to see the session keys that are valid and can be used to access splunkd.
index=_internal sourcetype=splunkd_ui_access | stats count by clientip , user , _time | lookup dnslookup clientip | timechart distinct_count(clienthost) by clienthost span=1d limit=100
This command worked very well
index=_audit action="login attempt" "info=succeeded" | stats count by action , user , _time | timechart span=1d count by user
I used this
How about pulling out the host/ip from which the user is accessing Splunk ?
Leo,
I use almost the same way you did to build your APP.
Does it compatible with SHC ?
I´m very much concerned about how disk consumption is growing with the artifacts replication in a SHC environment.
Below is a list of dashs I´m trying to get done usin my spare time :
- individual disk usage (searchable UI) and top disk usage users
- alert on artifacs with an expiration time of X hours and more than X MBs
- SHC artifacs replication and configuration sync status among Search Heads
- per search head total disk usage historical usage curve and a "prediction" of how much disk will be needed in X months/days
- alert for a threshold on free disk space X growth percentage
Take these as a suggestion to be added to your app or point me out any APPs that maybe
already accomplishing doing at least part of it.
Cya.
I've put together an app that shows in real time who's logged on: Who's there
Please let me know if you have any suggestions.
Another alternative to show who has logged in during the last hour and is still logged in now:
index=_internal (action=login OR action=logout) sourcetype="splunk_web_service" earliest=-1h | stats first(action) as currentstate by user | where currentstate="login"
How about this?
Seems to work for me and aside from users currently logged-in, tracks also the times when a user logged-in or logged-off:
index=_internal source="*web_access.log" user!="-" |eval status=if(count < 1,0,1)| timechart max(status) by user
I did like this as well.
But is there an easy way to get row as user and column as time?
If I do:
index=_internal source="*web_access.log" user!="-"
| eval status=if(count < 1,0,1)
| timechart max(status) by user
| transpose
Its close to correct, except column header becomes row1 row2 etc, not the time?
How to fix that?
nice one. variety one.
Based on this the timechart looks very good and stacked one quite cool. cheers for this
perfect man it works 🙂
Kinda neat. It gets a cumbersome if more than a few users are logged in or searching over a long time period, but I like it. If you just want to count users change "timechart" to "stats".
You can find logout message in web_service.log
2010-06-27 04:21:40,855 INFO [4d416354d820e7f350] account:237 - user=matt action=logout status=success reason=user-initiated useragent="Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5" clientip=101.33.11.153
Under the 'status' dropdown in the Search app (if you are using 4.1+), you can slide out the 'Search Activity' submenu, and select "UI Activity". This shows you people who are accessing splunk via the web interface.
It doesn't really show you if they are actually doing something at that very moment, but you can narrow your list of people whom you need to call before doing maintenance...
You can also get some information by searching some internal splunk logs:
Based on web access to splunkd web (ip address only)
index=_internal source="*web_access.log" earliest=-15m | top clientip
User based on interactive searches:
index=_internal source=searches | top user
User logins based on audit logs:
index=_audit action="login attempt" "info=succeeded"
There doesn't seem to be any audit of any logout events, unfortunately.
You can check the HTTP auth tokens endpoint to see the session keys that are valid and can be used to access splunkd.
Using the same interface in a Splunk search:
| rest /services/authentication/httpauth-tokens splunk_server=local | stats max(updated) by userName