Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are saved searches generating login events in the remote_searches.log?

responsys_cm
Builder
‎07-24-2014 10:57 AM

For some reason, two of my searches are generating events in the remote_searches.log with the field value action=login. Since I usually search on index=_internal action=login to see if anybody is logged in before I restart Splunk, it's making that search more difficult to interpret.

This is what the event looks like:

07-24-2014 10:36:11.002 -0700 INFO StreamedSearch - Streamed search connection terminated: search_id=remote_splunk.server.com_scheduler__admin__interact__RMD536e2aa50dc9e406f_at_1406223300_53, server=splunk.server.com, active_searches=7, elapsedTime=2.210, search='litsearch index="customer" action="Login" NOT ( src_ip="192.168.132.229" OR src_ip="192.168.141.12" OR src_ip="192.168.162.208" OR src_ip="192.168.200.10" OR src_ip="192.168.233.10" OR src_ip="192.168.237.10" OR src_ip="192.168.118.2" OR src_ip="192.168.119.102" OR src_ip="192.168.13.132" OR src_ip="192.168.94.46" OR src_ip="192.168.124.162" ) NOT src_ip="NULL" | fields keepcolorder=t "accountname" "client_country" "client_org" "count" "database" "host" "pod" "prestats_reserved_*" "psrsvd_*" "seen" "source" "sourcetype" "src_ip" "username"', savedsearch_name="Suspicious Logins"

And yet when I drill down into that saved search, there are a bunch of stats commands and lookups that follow the end of the search in the event above.

I don't understand why this search and one other are generating all of these remote login events while none of my other saved searches are.

Thanks.

Craig

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-24-2014 01:20 PM

The search string itself contains action="Login", triggering Splunk to extract that as a field. I've highlighted the part in your query.

Reply

somesoni2
Revered Legend
‎07-24-2014 12:22 PM

Unrelated, use following to get the currently logged users.

| rest /services/authentication/httpauth-tokens | search (NOT userName="splunk-system-user") searchId=""
| table userName splunk_server timeAccessed

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...