topic Re: Does Splunk log the SEARCH MODE (Verbose, Fast...) for each user's search. in Monitoring Splunk

Does Splunk log the SEARCH MODE (Verbose, Fast...) for each user's search.

splunkclarium — Mon, 08 Apr 2019 16:40:12 GMT

I would like to determine the search mode (Verbose, Fast...) for each user's search.

I am currently using this search from GoSplunk.c0m but I am having difficulty locating the search mode.

Can anyone assist?

index=_audit action=search sourcetype=audittrail search_id=* NOT (user=splunk-system-user) search!="'typeahead*"
| rex "search\=\'(search|\s+)\s(?P[\n\S\s]+?(?=\'))"
| rex field=search "sourcetype\s*=\s*\"*(?[^\s\"]+)" 
| rex field=search "index\s*=\s*\"*(?[^\s\"]+)"
| stats latest(_time) as Latest by user search SourcetypeUsed IndexUsed
| convert ctime(Latest)

Re: Does Splunk log the SEARCH MODE (Verbose, Fast...) for each user's search.

MuS — Mon, 08 Apr 2019 21:11:26 GMT

Hi splunkclarium,

I usually use something like this to get the search.mode :

index=_internal sourcetype=splunkd_ui_access q!="" 
| rex field=uri_query "display\.page\.search\.mode=(?<search_mode>[^\&]+)" 
| table _time host user q search_mode 
| eval q=urldecode(q)

Hope this helps ...

cheers, MuS

Re: Does Splunk log the SEARCH MODE (Verbose, Fast...) for each user's search.

splunkclarium — Tue, 09 Apr 2019 13:09:53 GMT

It did. THanks!!

Re: Does Splunk log the SEARCH MODE (Verbose, Fast...) for each user's search.

amounika — Tue, 05 Nov 2019 13:32:42 GMT

The accepted query is not working all the time. In certain internal logs for few user searches we doesn't have "q" field in the logs and search mode field is also not defined.

By using restAPI we are able to check the saved search result and user activity but it is server specific.

Could you provide a way to track each user's search and the mode of search(In particular Verbose) and the query ran for a particular peroid for a clustered envirnoment.