Hi Guys !!
Today, we will let you know how to Create Splunk User Analysis and Monitoring Dashboard, For this to achieve we need to create the below panels in our dashboard :
1) Total Number of Currently logged in Users
2) Total Number of Logged in users in the last 24 hours
3) List of Active Users Logged in with Details
4) List of Users who Exported the result from Splunk
5) Knowledge Objects Created by Users
6) Long Running Search OR Service Impacting Search Run by User
7) Users Name and the Index they Queried
8) Knowledge Objects Created by Users
9) List of Saved Search by Users
10) List of Unique email addresses configured in the Saved Search
Let’s begin the journey :
1. Total Number of Currently logged in Users:
Using the below query you can find the currently logged-in Users in Splunk.
| rest /services/authentication/httpauth-tokens
| search splunk_server="local"
| table userName
| dedup userName
| search NOT userName="splunk-system-user"
| stats count as "Active User currently logged in"
Result:
2. Total Number of Logged in users in the last 24 hours :
Using the below query you can find the Last 24 hours logins in Splunk.
index="_audit"
[ search index=_internal source="*web_access.log*" user!="-"
| stats by user
| fields user]
| table user
| dedup user
| stats dc(user) as "UserName"
Result:
3. List of Active Users Logged in with Details :
Using the below query you can find the Active Logged in Details in Splunk.
| rest /services/authentication/httpauth-tokens splunk_server=local
| search NOT userName="splunk-system-user"
| dedup userName
| rename "splunk_server" as "SplunkServer","timeAccessed" as "TimeOfAccess","userName" as "UserName"
| table UserName,SplunkServer,TimeOfAccess
Result:
4. List of Users who Exported the result from Splunk :
Using the below query you can find the list of users who exported result from Splunk.
index=_audit action=search
| rex field=search_id "\'(.*_|)(?<search_id>(\d+\_\d+|\d+\.\d+|\d+\_\_\d+\.\d+))\'"
| where isnotnull(search_id)
| table search_id,search
| join search_id
[ search index=_internal file=export
| rex field=uri_path "(?<search_id>\d+\.\d+)\/\w+.*"
| table search_id,user,output_mode]
| dedup user,output_mode,search
| fields - search_id
| rename user as UserName,search as SearchQuery,output_mode as ResultFormat
| table UserName,SearchQuery,ResultFormatResult:
5. Knowledge Objects Created by Users :
Using the below query you can find which type of knowledge object is created by the User in Splunk.
index=_internal sourcetype="splunkd_ui_access" uri_path="*/data/ui/views/*" OR uri_path="*saved/searches/*"
| dedup uri_path
| eval URL=urldecode('uri_path')
| rex field=URL "\/saved\/searches\/(?<NAME>[^\/]*)"
| rex field=URL "\/data\/ui\/views\/(?<NAME1>[^\/]*)"
| eval NAME=NAME."( Saved Search )",NAME1=NAME1."( Dashboard )"
| eval NAME=coalesce(NAME,NAME1)
| eval STATUS=case(match(status,"2\d+"),"SUCCESS",match(status,"3\d+"),"REDIRECTION",match(status,"4\d+") OR match(status,"5\d+"),"ERROR")
| stats list(NAME) as NAME,list(method) as MethodName,list(status) as Status_Code,list(STATUS) as STATUS by user
| rename user as UserResult:
6. Long-Running Search OR Service Impacting search Run by User:
Using the below query you can find the long-running search or service impacting search run by User in Splunk. If the runtime is more than 5 minutes then it’s impacting the service.
index="_audit" action="search" search=* NOT user="splunk-system-user" exec_time=*
| table user,search,total_run_time
| sort - total_run_time
| eval Total_Run_Time(Min)=(total_run_time/60)
| fields - total_run_time
| rename user as UserName,search as Search
Result:
7. User Name and the Index they Queried:
Using the below query you can find the User Name and the Index they Queried.
index="_audit" action=search search="*index*" user=* NOT user=splunk-system-user
| rex field=search "index\s*\=\s*(\"|)(?<indexname>[^\s\"\']+)"
| rex field=search "\"index\"\=\"(?<indexname1>.*?)\"\s+.*"
| eval IndexName=coalesce(indexname,indexname1)
| stats values(IndexName) as "IndexName" by user
| rename user as UserResult:
8. Knowledge Objects Created by Users:
Using the below query you can find the Knowledge Objects Created by Users.
| rest/servicesNS/-/-/data/props/extractions
| search splunk_server="local"
| rename eai:acl.owner as User
| table User
| dedup User
| eval Object="Field Extraction"
| append
[ search index=_internal sourcetype=scheduler alert_actions!=""
| rename user as User
| table User
| dedup User
| eval Object="Saved Search"]
| append
[| rest/servicesNS/-/-/configs/conf-macros splunk_server="local"
| rename eai:userName as User
| table User
| dedup User
| eval Object="Macro"]
| append
[| rest /servicesNS/-/-/saved/eventtypes splunk_server="clocal"
| rename eai:userName as User
| table User
| dedup User
| eval Object="Event"]
| append
[| rest/servicesNS/-/-/data/ui/panels splunk_server="local"
| rename eai:userName as User
| table User
| dedup User
| eval Object="Dashboard Panel"]
| append
[| rest /servicesNS/-/-/data/props/lookups/ splunk_server="local"
| rename author as User
| table User
| dedup User
| eval Object="Lookup"]
| append
[| rest /servicesNS/-/-/data/ui/views splunk_server="local"
| rename author as User
| table User
| dedup User
| eval Object="Views"]
| stats values(*) as * by UserResult:
9. List of Saved Search by Users :
Using the below query you can find the list of saved searches by users excluding admin.
| rest/servicesNS/-/-/saved/searches splunk_server="local"
| search is_scheduled=1
| rename eai:acl.owner as "User",title as "SavedSearch",eai:acl.app as "AppName",cron_schedule as "Cron_Schedule",dispatch.earliest_time as "EarliestTime",dispatch.latest_time as "LatestTime",action.email.to as "EmailID"
| search NOT User="nobody"
| table User,SavedSearch,AppName,Cron_Schedule,EarliestTime,LatestTime,EmailIDResult:
10. List of Unique email addresses configured in the Saved Search:
Using the below query you can find the List of Unique email addresses configured in the Saved Search.
| rest/servicesNS/-/-/saved/searches splunk_server="local"
| search is_scheduled=1
| rename eai:acl.owner as "User",title as "SavedSearch",action.email.to as "EmailID"
| search NOT User=nobody
| table User,SavedSearch,EmailID
| eval Unique_EmailID=split(EmailID,",")
| table User SavedSearch Unique_EmailID
| stats values(*) as * by User
| eval Unique_EmailID=mvdedup(Unique_EmailID)Result:
Hope you have enjoyed this blog, we will come back with new topics of Splunk. Until then goodbye and stay safe and strong.
Happy Splunking !!
