Internal Splunk User Stats

• _internal
• SplunkNinja
• 4 0

This simple Splunk query will show us unique Splunk user logged into Splunk per day, as well as total count of log-ons.

index=_audit info=succeeded | timechart span=1d dc(user) as unique_users count(user) as logons_all_users

1	index=_audit info=succeeded | timechart span=1d dc(user) as unique_users count(user) as logons_all_users

Continue Reading →

List All Splunk Users & Associated Roles

• REST
• john117
• 1 1

The following Splunk query will show a table of all users and their roles:

| rest /services/authentication/users | stats values(roles) as Roles by user

1	| rest /services/authentication/users | stats values(roles) as Roles by user

*Admin Notes* I’ve found the following query to work better in my environment:

| rest /services/authentication/users | stats values(roles) as Roles by title

1	| rest /services/authentication/users | stats values(roles) as Roles by title

Continue Reading →

Splunk Admin Account Activity – Role Modifications

• _internal
• john117
• 1 0

This Splunk query shows when the admin account performed Create or Modify Roles actions:

index="_audit" action=edit_roles operation=* | table _time user operation object*

1	index="_audit" action=edit_roles operation=* | table _time user operation object*

Continue Reading →

Splunk Admin Account Activity – Account Modifications

• _internal
• john117
• 2 0

This Splunk query shows when the admin account performed Account Modification / Deletion / Creation actions:

index=_audit user=admin action=edit_user operation=* | table _time user operation object*

1	index=_audit user=admin action=edit_user operation=* | table _time user operation object*

Continue Reading →

Index Modifications

• _internal
• john117
• 0 1

This Splunk query should show which users attempted to modify an index and if that action was successful:

index=_audit user=* action=indexes_edit | stats count by index info user action

1	index=_audit user=* action=indexes_edit | stats count by index info user action

Continue Reading →

Splunk Server Restart Duration

• _internal/ audittrail/ splunkd
• ItsJohnLocke
• 5 0

As titled, the following Splunk search query will show the restart duration (using the transaction command) of the Splunk service itself.  

index=_audit (action="splunkShuttingDown" OR action="splunkStarting") | eval Date=strftime(_time, "%Y/%m/%d") | transaction splunk_server startswith=action="splunkShuttingDown" endswith=action="splunkStarting" | eval duration=round(duration/60, 2) |table Date splunk_server duration| rename duration as "Splunk Restart Duration" splunk_server as "Splunk Server"

1

index=_audit (action="splunkShuttingDown" OR action="splunkStarting") | eval Date=strftime(_time, "%Y/%m/%d") | transaction splunk_server startswith=action="splunkShuttingDown" endswith=action="splunkStarting" | eval duration=round(duration/60, 2) |table Date splunk_server duration| rename duration as "Splunk Restart Duration" splunk_server as "Splunk Server"

Continue Reading →

Splunk Query Count by users

• _internal
• databeastmaster
• 0 0

index=_audit search=* NOT (search_id='scheduler* OR search_id='Summary*) user=admin | timechart span=1d count by user usenull=f

1	index=_audit search=* NOT (search_id='scheduler* OR search_id='Summary*) user=admin | timechart span=1d count by user usenull=f

Continue Reading →

Failed Attempts to Logon to Splunk Web

• _internal
• SplunkNinja
• 4 Comments
• 2 0

The following Splunk Search Query will return all users who have failed to logon to the Splunk Web console. This query will also include an average (from eventstats).  

index=_audit action="login attempt" info=failed | timechart count(user) as Failed_Attempts| eventstats avg(Failed_Attempts) as Average

1	index=_audit action="login attempt" info=failed | timechart count(user) as Failed_Attempts| eventstats avg(Failed_Attempts) as Average

Continue Reading →