topic Re: User audit report in Reporting

User audit report

mcrouse — Mon, 05 May 2014 18:54:41 GMT

Hello, I am enhancing an existing Splunk instance and I want to build or find a report that will tell me who accessed the system and when, and what searches or reports they ran. Is there a canned report that will tell me this information? If not, can someone help me define the search to turn up this information? Thanks.

Re: User audit report

lguinn2 — Mon, 05 May 2014 19:00:50 GMT

This may be close to what you want:

index=_audit action=search search=* NOT "typeahead" NOT metadata NOT "|history" NOT "AUTOSUMMARY"

You may want to play around with it to include/eliminate certain searches.

Re: User audit report

somesoni2 — Mon, 05 May 2014 21:45:32 GMT

You may want to look at the reports provided by SOS (splunk-on-splunk) app. They have reports with data like "UI Search Activity by User","Recent Usage by User (Non-Scheduled Only)"

Re: User audit report

splunkn — Thu, 23 Jun 2016 12:31:28 GMT

Hi Iguinn. Its a good answer. Could you please explain you have eliminated few words like typeahead metadata history and autosummary. I am able see the differences but am not able to understand the exact purpose

Thanks in advance