Is it possible to query for online users via CLI, not through SPL? I reboot frequently and want my reboot shell script to say "WARNING: (1) users are online. Are you sure you want to reboot?"
Currently I go run a SPL search every time I reboot to make sure nobody is online, which is a huge pain
Or am limited to doing this with Python SDK?
You can search from the CLI, but you'll still have to use SPL:
https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/SearchReference/CLIsearchsyntax
You can search from the CLI, but you'll still have to use SPL:
https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/SearchReference/CLIsearchsyntax
Thanks. I should have clarified, I am fine doing it through SPL, I just didn't want to do it through the search UI.
I didn't use the Python SDK to do write this, just did it in normal Python (my bash scripting isn't quite up to par to do this in bash):
import os
query = os.popen('/opt/splunk/bin/splunk search "search earliest=-3m latest=now \`users_online\`"').read()
if "--------" in query:
print "CAUTION: Users are online. Perform manual reboot."
else:
print "Users are not online. Rebooting"
os.system("/opt/splunk/bin/splunk stop -f && /opt/splunk/bin/splunk start")
Macro:
(index=_internal sourcetype=splunkd_ui_access uri_path="/en-US/app*") OR (index=_audit AND action="login attempt" OR (search!="" search_id!="'scheduler*" search_id!="scheduler*" search_id!="'subsearch*")) user!="splunk-system-user" user!="n/a" user!="ME" user!=testuser* user!="-" | eval sortable_time=_time | eval time=strftime(sortable_time,"%Y-%m-%d %H:%M:%S") |
streamstats count as temp_count | stats values(*) as * by temp_count | fields - temp_count | sort 0 sortable_time | dedup user | table user