Site Search
Security business menu
Security business
HOME
To be elected
cause
Service
Handling Manufacturer
Examples/reports/
Blog/Glossary
Seminar/
video on demand
TOP
Products/Services
Specifications/Technical Information
solution
User stories
support
Seminar content
Evaluation machine application/FAQ
Document request
inquiry
Event/Seminar
video on demand

How administrators can identify users who have logged into or out of Splunk

release date
2017-04-06
last updated
2023-12-05
version
Splunk Enterprise 9.0.3
Overview
Learn how administrators can identify users who have logged in to or logged out of Splunk.
Reference information
content

Internal log output at login/logout

When a user logs into or out of Splunk, data is written to Splunk's internal logs.

Splunk can search its own internal log in Splunk just like imported data, so you can understand the login/logout status of users by performing the following search.

Search statement to search logs output at login/logout

○ Login

You can search the log that is output when you log in using the search statement below.

index="_audit" action=log* action="login attempt"

[Sample log]
Audit:[timestamp=02-20-2023 14:41:59.309, user=admin, action=login attempt, info=succeeded reason=user-initiated useragent=xxxxxxx clientip=xx.xxx.xx.xxx method=Splunk session= xxxxxxxxxx]

○ Logout

You can search for the logs that are output when you log out by selecting "Logout" from Splunk using the search phrase below.

index="_audit" action=log* action="logout"

[Sample log]
Audit:[timestamp=02-20-2023 14:43:07.949, user=admin, action=logout, info=succeeded reason=user-initiated useragent=xxxxxxx clientip=xx.xxx.xx.xxx session=xxxxxxxxxxx]

※Note
If you close your browser and disconnect from your session with Splunk, no logout log will be output.

that's all

to previous page