Security

logged in users

gcusello
SplunkTrust
SplunkTrust

Hi at all,
I'd like to identify Splunk currently and/or today's logged users.
Using | rest /services/authentication/current-context splunk_server=local | rename username AS user | table user realname roles I can identify the logged users; and using index=_audit NOT (user="n/a" OR user="splunk-system-user" OR "scheduler__nobody__search" OR "admin" OR "nobody") NOT "REST" NOT scheduler | join type=left user [| rest /services/authentication/current-context splunk_server=local | rename username AS user | table user realname roles ] | transaction user I can identify today's logged users.

My problem is to identify when users was logged in because I have Splunk configured in SSO with an external authentication system so I cannot find action="login attempt" (that I usually find in _audit index to understand that a user is logged in).
Someone has an idea how to have the time session of a Splunk user when there is a SSO authentication?

Bye.
Giuseppe

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi cusello,

a long time ago I wrote this answer https://answers.splunk.com/answers/107574/track-users-logging-in-via-sso.html maybe it helps you as well.

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi cusello,

a long time ago I wrote this answer https://answers.splunk.com/answers/107574/track-users-logging-in-via-sso.html maybe it helps you as well.

cheers, MuS

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...