Refine your search:

How do you find out who is logged onto Splunk right now?

2
1

I'm trying to find a way to see, at any given point in time, what users are actually logged into Splunk. (At least how many) Does anyone have any suggestions? Thanks!

asked 17 Jun '10, 20:18

dhaffner's gravatar image

dhaffner
1595
accept rate: 100%

4 Answers:
oldestnewestmost voted
4

You can check the HTTP auth tokens endpoint to see the session keys that are valid and can be used to access splunkd.

https://splunk-server:8089/services/admin/httpauth-tokens

link

answered 17 Jun '10, 20:54

Stephen%20Sorkin's gravatar image

Stephen Sorkin ♦
8.1k47
accept rate: 52%

edited 17 Jun '10, 21:12

4

You can also get some information by searching some internal splunk logs:

  1. Based on web access to splunkd web (ip address only)

    index=_internal source="*web_access.log" earliest=-15m | top clientip

  2. User based on interactive searches:

    index=_internal source=searches | top user

  3. User logins based on audit logs:

    index=_audit action="login attempt" "info=succeeded"

There doesn't seem to be any audit of any logout events, unfortunately.

link

answered 17 Jun '10, 21:48

Lowell's gravatar image

Lowell ♦
9.6k637
accept rate: 40%

3

You can find logout message in web_service.log

2010-06-27 04:21:40,855 INFO [4d416354d820e7f350] account:237 - user=matt action=logout status=success reason=user-initiated useragent="Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5" clientip=101.33.11.153

link

answered 27 Jan '11, 12:30

mzorzi's gravatar image

mzorzi
1.3k219
accept rate: 14%

1

Under the 'status' dropdown in the Search app (if you are using 4.1+), you can slide out the 'Search Activity' submenu, and select "UI Activity". This shows you people who are accessing splunk via the web interface.

It doesn't really show you if they are actually doing something at that very moment, but you can narrow your list of people whom you need to call before doing maintenance...

link

answered 18 Jun '10, 13:48

rotten's gravatar image

rotten
2668
accept rate: 17%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×66
×59

Asked: 17 Jun '10, 20:18

Seen: 1,754 times

Last updated: 27 Jan '11, 12:30

Related questions

Splunk Web login user IP address correlation?

Is there a way to find the number of UI users logged into Splunk at any given time?

Show Windows Login Events as Who Was Logged in When

search based on logged in user id

Logged in as Different User

User has left the company, now getting "Could not find user:" errors

Login/ password for "other user" account

How do I pass the logged in user to a workflow action?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.