- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Find Current logged in users in Splunk 6, query wo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have been using below query to get the list of users currently logged into my Splunk Instance.
| rest /services/authentication/httpauth-tokens | search (NOT userName="splunk-system-user") searchId="" | table userName splunk_server timeAccessed
When I tried the same thing in Splunk 6, I am getting 0 rows. It seems for all the logged in users, the userName field is "splunk-system-user", hence no rows.(I used this clause in Splunk 5.X to exclude schedule search/splunk system accounts.
Have anyone done similar query to get list of current users in Splunk 6.
Thanks in advanced.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure what was the issue. I just reinstalled Splunk and its working fine now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First query doesn't work..
This query works.. but it's not live, had someone log off actualy log off and still showed up, so not real time.
| rest /services/authentication/httpauth-tokens splunk_server=local |table userName|stats dc(userName) by username
Anyone have a query that actually works in real time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To find the user logged into Splunk , here are you searches you can use
| rest /services/authentication/current-context splunk_server=local|table username
or
you could also check the auth tokens
| rest /services/authentication/httpauth-tokens splunk_server=local |table userName|stats dc(userName) by userName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure what was the issue. I just reinstalled Splunk and its working fine now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ran this as well and it worked. I got userName->admin , splunk_server->192.168.2.11, timeAccessed-> yada yada.. Im on Splunk 6.0 Build 174933.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What did it showed under uswrName field? Did it show all the users or just splunk-system-user? For me its showing all values as splunk-sys
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ran this on my splunk 6.0 instance and it worked.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
