topic Why is the user shown in the results is not the user who is running the query? in Security

Why is the user shown in the results is not the user who is running the query?

IRHM73 — Wed, 29 Jun 2022 20:25:39 GMT

Hi,

I wonder whether someone may be able to help me please.

I'm running the query below to obtain information about searches that are being run on Splunk and the query works fine.

|rest /services/search/jobs  
|rename custom.search as customSearch  
|search NOT author="splunk-system-user"  
|eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch)  
|search SearchString!=""

The problem I have is that the user shown in the results is not the user who is running the query, often through an app, but rather the owner of the app and developer of the query i.e. me.

So I tried another query I found (see below) which does extract the person who is performing the search, but unlike the first query doesn't report the time range used and the duration of the search, well not that I can find.

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search _time | sort user | fields user search _time

Could someone tell me please it possible to use a query which will retrieve the following data:

Owner of search
User of search
Search
Date Range Used In Search
Duration of the search
App Used

Many thanks and kind regards

Chris

Re: Splunk Searches Run By User

javiergn — Fri, 12 Feb 2016 10:00:44 GMT

Hi,

Trying joining both queries with search_id and see if that helps:

index=_audit action=search info=granted search=* 
    NOT "search_id='scheduler" 
    NOT "search='|history" 
    NOT "user=splunk-system-user" 
    NOT "search='typeahead" 
    NOT "search='| metadata type=* | search totalCount>0"
| fields user, search, _time, search_id
| eval search_id = trim(replace(search_id, "\'", ""))
| join search_id [
    | rest /services/search/jobs
    | search NOT author="splunk-system-user"
    | rename custom.search as customSearch, sid AS search_id  
    | eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch)  
    | search SearchString!=""
    | eval search_id = trim(replace(search_id, "\'", ""))
]

Re: Splunk Searches Run By User

chimell — Fri, 12 Feb 2016 10:05:55 GMT

Hi
try this

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" |table *

and specify certains information that you want for example see the following

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" |table user search maxtime timestamp

Re: Splunk Searches Run By User

IRHM73 — Mon, 15 Feb 2016 13:57:51 GMT

Hi @javiergn, thank you for taking the time to come back to me with this and my apologies for not coming back to you sooner.

The query works great and returns the information I need.

Once again many thanks and kind regards

Chris

Re: Splunk Searches Run By User

IRHM73 — Tue, 16 Feb 2016 09:20:29 GMT

Hi @chimell, thank you for taking the time to come back to me with this and my apologies for not replying sooner.

The query works great.

Many thanks and kind regards

Chris

Re: Splunk Searches Run By User

josf999 — Wed, 21 Sep 2016 08:09:09 GMT

@Chimell
Thanks a lot.Your query works great....

Re: Splunk Searches Run By User

sideview — Wed, 29 Jun 2022 18:47:14 GMT

This is a pretty complex problem - part of the puzzle is in the audit log's info="granted" event, another part is in the audit log's info="completed" event, even more of it is over in the introspection index.

Then of course for jobs that still exist on the filesystem there is a wealth more info you can get from the rest command or by a custom search command that inspects info.csv and status.csv.

I recommend checking out an app that we released recently called Sideview UI - specifically the view within that app called "user_activity".

This will do all of this for you, sidestep pretty thorny autokv problems in the audit data, and not just give you all of this per search, but also present stats and rollups by user, app, dashboard, even by sourcetypes-that-were-actually-searched

it also has a macro called "calculate pain" that will score a "pain" number for each search, and then sum up all the "pain" in the by-user, by-app, by-sourcetype rollups etc. So that admins can try and pick off the worst offenders first.

it's up on SB here and approved for both Cloud and onprem - https://splunkbase.splunk.com/app/6449/

and there's a #sideview_ui channel for it in the community slack.