topic Re: Get user's search history in Splunk Search

Get user's search history

Branden — Fri, 11 Mar 2011 03:01:14 GMT

Quick question: how can I view a user's search history?

Re: Get user's search history

Glenn — Mon, 07 Oct 2013 16:20:14 GMT

The solution for 5.x and later is to use the "history" command in search. Ie.

| history

See http://docs.splunk.com/Documentation/Splunk/5.0.5/SearchReference/History

Re: Get user's search history

joebensimo — Tue, 17 Dec 2013 20:09:27 GMT

It appears that "history" only returns search history for the current user. Is there a way in 5.x to get history for all users?

Re: Get user's search history

joebensimo — Tue, 17 Dec 2013 21:52:25 GMT

Also, "history" suffers from the same problem as the "Jobs" page: it doesn't contain the full history. Viewing a dashboard with an auto-refresh can quickly blow through all the history that is retained for "history".

Re: Get user's search history

Runals — Wed, 12 Feb 2014 13:34:44 GMT

This thread came up in a search for something related. Figured I would share. Note having the double stats command in this context can get you in trouble if you have someone who has created a lot of searches. In general I like this method to display data in Splunk dashboards/views. Sucks when it is exported though. If nothing else everything up to the first pipe can be used. I'm wrapping the field and value components in quotes to make it a bit faster. The metadata search bit is from the default search page in 5x.

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search _time | sort _time | convert ctime(_time) | stats list(_time) as time list(search) as search by user

Re: Get user's search history

proletariat99 — Mon, 09 Nov 2015 18:06:21 GMT

This is what I was looking for. Thanks! Well, I modified it a bit to dumb it down, but this works to just see who is running what:
index=_audit action=search earliest=@d user!="splunk-system-user" user!=admin | stats values(search) by user

Re: Get user's search history

mparks11 — Fri, 02 Sep 2016 18:23:10 GMT

Thanks for the input here. I found some odd results based on what a user says they were searching and what is reported out of the _audit index. Anyway, here's another method I found that may or may not be applicable, but it seemed to at least yield some results.

index=_internal user=* sourcetype=splunkd_ui_access | dedup q | table _time, q | eval q=urldecode(q)

Hope it might also help.

Re: Get user's search history

horsefez — Mon, 21 Nov 2016 16:22:03 GMT

Thank you for the update!

Re: Get user's search history

bohanlon_splunk — Tue, 29 Sep 2020 12:33:37 GMT

This post has a better solution:
https://answers.splunk.com/answers/151378/why-history-command-only-shows-my-searches-not-searches-run-by-all-users.html

OR
|history

Re: Get user's search history

David — Fri, 27 Jan 2017 11:01:17 GMT

Converting this answer to a comment, since it doesn't work as of Splunk 5.x, so that other correct answers will show up first.

You can do a search for:

index=_internal sourcetype=searches username

Re: Get user's search history

Branden — Fri, 27 Jan 2017 11:01:18 GMT

Thank you very much!

Re: Get user's search history

bohanlon_splunk — Fri, 27 Jan 2017 11:01:18 GMT

I downvoted this post because doesn't work in 6.5.x either.

Re: Get user's search history

alanden_splunk — Fri, 27 Jan 2017 11:01:18 GMT

This solution doesn't work

Re: Get user's search history

jtrucks — Fri, 27 Jan 2017 11:01:18 GMT

This no longer works with 5.x.

Re: Get user's search history

David — Fri, 27 Jan 2017 11:01:18 GMT

My pleasure! .

Re: Get user's search history

Runals — Fri, 27 Jan 2017 13:44:33 GMT

Which is a search originally posted in this thread 😃

Re: Get user's search history

David — Mon, 06 Feb 2017 15:23:07 GMT

Good call everyone! You should use index=_internal action=search search=* now. Or download the Search Activity app 🙂 https://splunkbase.splunk.com/app/2632/

Re: Get user's search history

dmcgeearke — Tue, 13 Nov 2018 16:19:00 GMT

This works great, but i do notice that all the dashboard searches that fire when a user hits a certain dashboard also go into the list under their name. Is there something i could add to the query to remove the dashboard triggered searches, and return ONLY searches triggered manually by a user?

Re: Get user's search history

dmcgeearke — Tue, 13 Nov 2018 16:31:26 GMT

Also, I'd like to be able to use the $click.value2$ to do a drilldown search, but it seems to be adding the single quotes before and after the search. Any ideas on how to remove those from the search query, either before displaying it, or on the drilldown?

Re: Get user's search history

mparks11 — Tue, 13 Nov 2018 19:51:39 GMT

There's probably a more elegant way, but this should work to remove the single quotes in your results, by appending to the end of your search:

| rex field=search mode=sed "s/^'//g"
| rex field=search mode=sed "s/'$//g"