Re: In a search head cluster, how do I search user...

ronak · ‎04-18-2015

What setup is required and what will be the search so that I can find out,

Who all have logged in to the system in the last 30 minutes
what kind of searches they are running
which search head (I've three in my cluster) these users were connected/logged in to

thanks, ronak

GDustin · ‎06-29-2017

splunk_webaccess -> splunk_ui_access

logged in users
index=_internal sourcetype=splunkd_ui_access | dedup host user | table host user _time req_time
logged in users rolling time

index=_internal sourcetype=splunkd_ui_access | table host user _time req_time

sk314 · ‎06-27-2016

If you have an indexer cluster -> You should have all this info in the Distributed Management Console on the Cluster Master.

GDustin · ‎06-29-2017

where it that in DMC?

pradeepkumarg · ‎04-18-2015

Start here

For users logged in, and search head they are in



index=_internal sourcetype=splunk_webaccess | dedup host USER | table host USER

For the searches issued..



index=_internal sourcetype=splunkd_remote_searches

Cross check the sourcetypes for the exact naming..

mendesjo · ‎06-22-2016

sourcetype of splunk_webaccess at least in 6.3.3 version isn't available..

GDustin · ‎06-29-2017

verified 6.5.3
index=_internal sourcetype=splunkd_ui_access | dedup host user | table host user _time req_time

In a search head cluster, how do I search users that have logged in the last 30 minutes, on what cluster member, and what kind of searches they are running?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?