As far as I'm aware there's no way to do this in Splunk itself. You should be able to do this with something like an F5 LTM/APM married up with an iRule to limit concurrent sessions, but from what you've said I doubt this is what you're after.
This sounds like a scaling or user management issue rather than a technical one. Is there any reason why you want to limit admin users in particular?
Cheers,
RT
Hi All,
Just a quick check of anyone has successfully solve this issue based on current version 6.3
James
Nope. Concurrent users aren't a metric Splunk really cares about. Recall that if a user is logged in and sitting on a Splunk dashboard or the S&R app and not doing anything other than looking at the results of a search or of a view that has already completed loading, there is no "load" on Splunk for that user. It is only when the user is executing searches or loading dashboards that they are generating search load.
Note that with recent versions of Splunk, as a user types in SPL, there is a small amount of "typeahead" load that is generated as Splunk tries to help out the user with Splunk command syntax and search through the users history attempting to match previous searches.
If you're interested in looking up who is logged in, you could use the following search "index=_internal sourcetype="splunk_web_access" user!="-" |transaction user | where mvcount(clientip) > 1 | table user clientip" to determine how many sessions are logged in with a single account. Depending on your enterprise setup, you could also do a lookup by IP to determine who is logged in from which workstation.
As far as I'm aware there's no way to do this in Splunk itself. You should be able to do this with something like an F5 LTM/APM married up with an iRule to limit concurrent sessions, but from what you've said I doubt this is what you're after.
This sounds like a scaling or user management issue rather than a technical one. Is there any reason why you want to limit admin users in particular?
Cheers,
RT
I'm currently doing user planning for a distributed deployment now so I feel your pain. Best of luck.
Thank you for your comment.
As you guessed, I need to limit a certain number of users because the sizing of Splunk and hardware as well as whole network need to be under control. There is no ongoing issue, but I simply need the feature as a system requirement.