Hi All,
I have been using below query to get the list of users currently logged into my Splunk Instance.
| rest /services/authentication/httpauth-tokens | search (NOT userName="splunk-system-user") searchId="" | table userName splunk_server timeAccessed
When I tried the same thing in Splunk 6, I am getting 0 rows. It seems for all the logged in users, the userName field is "splunk-system-user", hence no rows.(I used this clause in Splunk 5.X to exclude schedule search/splunk system accounts.
Have anyone done similar query to get list of current users in Splunk 6.
Thanks in advanced.
Not sure what was the issue. I just reinstalled Splunk and its working fine now.
First query doesn't work..
This query works.. but it's not live, had someone log off actualy log off and still showed up, so not real time.
| rest /services/authentication/httpauth-tokens splunk_server=local |table userName|stats dc(userName) by username
Anyone have a query that actually works in real time?
To find the user logged into Splunk , here are you searches you can use
| rest /services/authentication/current-context splunk_server=local|table username
or
you could also check the auth tokens
| rest /services/authentication/httpauth-tokens splunk_server=local |table userName|stats dc(userName) by userName
Not sure what was the issue. I just reinstalled Splunk and its working fine now.
I ran this as well and it worked. I got userName->admin , splunk_server->192.168.2.11, timeAccessed-> yada yada.. Im on Splunk 6.0 Build 174933.
What did it showed under uswrName field? Did it show all the users or just splunk-system-user? For me its showing all values as splunk-sys
I ran this on my splunk 6.0 instance and it worked.