How to View the Current Logged in Users Information in Splunk
Hello everyone !!
Hope all of you are enjoying these blog posts. Today we have come with a new magic trick of Splunk. All of know that in the Search Head when we perform any query we take the help of SPL command.
Lets say there are multiple users are accessing Search Head. We will show you how to know the users information who are currently login in the splunk server. Whatever activity we do in Splunk all logs are stored in Splunk’s Default indexes.
Run the below command in search bar.
index=_internal user != "-" user != "nobody" user != "splunk-system-user" | rex field=_raw "\/en-US\/account\/(?<USER_STATUS>\w+)\s+.*" | stats latest(_time) as max_time by user,USER_STATUS | xyseries user,USER_STATUS,max_time | where logout<login | fields user,login | eval login=strftime(login,"%d-%m-%Y %I:%M:%S %P")
Result:
Description : We all know that users login and logout logs are stored in _internal index. So at first using rex command we will extract the portion login and logout. We will store the values in a field called USER_STATUS .Then, by the stats command we will calculated last login and logout time. After that by xyseries command we will format the values. Who will be currently logged in the Splunk, for those users last login time must be greater than the last logout time. By where command we compared where login time is greater than logout time. Then by fields command we have taken user and login field. At last by the strftime function with eval command we have converted epoch time into human readable format. Now you can see that we are getting users information who are currently logged in Splunk.
Hope this has helped you in achieving the below requirement without fail !!
How to View the Current Logged in Users Information in Splunk
Happy Splunking !!