topic Re: Check search history of all users on SH cluster excluding dashboard searches in Dashboards & Visualizations

Check search history of all users on SH cluster excluding dashboard searches

tusharsaran1 — Tue, 03 Apr 2018 08:31:14 GMT

Is there a way to list all sourcetypes that have been searched by all users across a SH cluster, excluding searches that are executed in a dashboard?

Re: Check search history of all users on SH cluster excluding dashboard searches

splunker12er — Tue, 03 Apr 2018 08:38:08 GMT

try this,

ad-hoc searches

index=_audit action=search (id=* OR search_id=*) | eval search_id = if(isnull(search_id), id, search_id) | replace '*' with * in search_id | rex "search='(?<search>.*?)', autojoin" | search search_id!=scheduler_* | convert num(total_run_time) | eval user = if(user="n/a", null(), user) | stats min(_time) as _time first(user) as user max(total_run_time) as total_run_time first(search) as search by search_id | search search=search* search!=*_internal* search!=*_audit* | chart median(total_run_time) as "Median search time" perc95(total_run_time) as "95th Percentile search time" sum(total_run_time) as "Total search time" count as "Search count" max(_time) as "Last use" by user | fieldformat "Last use" = strftime('Last use', "%F %T.%Q %:z")

Re: Check search history of all users on SH cluster excluding dashboard searches

splunker12er — Tue, 03 Apr 2018 08:39:56 GMT

also you can negate for users like

index=_audit action=search (id=* OR search_id=*) NOT (user="admin" OR user="*abc")