I'd like to see a search that will show me who is logged in currently. Anyone know how to do this?
As far as using a search to do it, the simplest way is to search for this over something like the last 5 minutes or 30 minutes:
index=_audit | timechart count by user
the audit log ultimately will show users searching, logging-in, and doing things in manager.
(to see these categories themselves search for index=_audit | timechart count by action
)
and to get to the harder bottom line of who has active authTokens, the rest endpoint Simeon mentioned gives the only concrete answer as far as I know --
As far as using a search to do it, the simplest way is to search for this over something like the last 5 minutes or 30 minutes:
index=_audit | timechart count by user
the audit log ultimately will show users searching, logging-in, and doing things in manager.
(to see these categories themselves search for index=_audit | timechart count by action
)
and to get to the harder bottom line of who has active authTokens, the rest endpoint Simeon mentioned gives the only concrete answer as far as I know --
Per another thread:
You can check the HTTP auth tokens endpoint to see the session keys that are valid and can be used to access splunkd.
https://splunk-server:8089/services/admin/httpauth-tokens
http://answers.splunk.com/questions/3768/how-do-you-find-out-who-is-logged-onto-splunk-right-now