For some reason, two of my searches are generating events in the remote_searches.log with the field value action=login. Since I usually search on index=_internal action=login to see if anybody is logged in before I restart Splunk, it's making that search more difficult to interpret.
This is what the event looks like:
07-24-2014 10:36:11.002 -0700 INFO StreamedSearch - Streamed search connection terminated: search_id=remote_splunk.server.com_scheduler__admin__interact__RMD536e2aa50dc9e406f_at_1406223300_53, server=splunk.server.com, active_searches=7, elapsedTime=2.210, search='litsearch index="customer" action="Login" NOT ( src_ip="192.168.132.229" OR src_ip="192.168.141.12" OR src_ip="192.168.162.208" OR src_ip="192.168.200.10" OR src_ip="192.168.233.10" OR src_ip="192.168.237.10" OR src_ip="192.168.118.2" OR src_ip="192.168.119.102" OR src_ip="192.168.13.132" OR src_ip="192.168.94.46" OR src_ip="192.168.124.162" ) NOT src_ip="NULL" | fields keepcolorder=t "accountname" "client_country" "client_org" "count" "database" "host" "pod" "prestats_reserved_*" "psrsvd_*" "seen" "source" "sourcetype" "src_ip" "username"', savedsearch_name="Suspicious Logins"
And yet when I drill down into that saved search, there are a bunch of stats commands and lookups that follow the end of the search in the event above.
I don't understand why this search and one other are generating all of these remote login events while none of my other saved searches are.
Thanks.
Craig
The search string itself contains action="Login"
, triggering Splunk to extract that as a field. I've highlighted the part in your query.
Unrelated, use following to get the currently logged users.
| rest /services/authentication/httpauth-tokens | search (NOT userName="splunk-system-user") searchId=""
| table userName splunk_server timeAccessed