|
I need a search that can show me who is logging into our splunk instance itself. Not monitor logins to systems that are logging to splunk but monitor who is using splunk itself... I am tinkering with something like "index=_internal sourcetype=access_combined" but can't find the actual "login" event. |
|
Actually, if you logins to Splunk as opposed the searches submitted, you can also search: |
|
OK, being kindof stupid, the Search Status dashboard has something like what I am looking for that I can use. One of the panels has "UI activity by user" that can be run separately. Namely: "index="internal" source="/splunkd_access.log" "/services/search/jobs" | kv access-extractions | search uri=/services/search/jobs/* user!="-"| rex (?\d+)ms$ | timechart eval(sum(run_time)/1000) by user" This works for my purposes. |