Created
June 27, 2018 13:29
-
-
Save faststeak/812e99d1604fa2db9c90709d02a3117c to your computer and use it in GitHub Desktop.
Splunk search to check app usage on an SH
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=_internal host=<your search head(s) here> app=* source="/opt/splunk/var/log/splunk/splunkd_ui_access.log" OR source="/opt/splunk/var/log/splunk/web_access.log" | |
| | rex "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+-\s+(?<user>\d+)" | |
| |search NOT (user="-" OR user=<your user, if you recently visited the apps>) | |
| | stats max(_time) as last_used dc(user) as app_user_count values(user) as user by app host | |
| | convert ctime(last_used) | |
| | search NOT (app=search OR app=launcher) | |
| # I filtered my own user because I was visiting every app just before running this search. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment