topic Re: Which user is running search ? in Splunk Search

Which user is running search ?

maitrifer — Sun, 22 Nov 2020 06:54:04 GMT

Hi All, I have a requirement I wanted to check which user is running a search. I need help in SPL query to get user and search details.

Re: Which user is running search ?

thambisetty — Sun, 22 Nov 2020 08:02:09 GMT

index=_audit action=search | stats earliest(user) as user ,earliest(search) as search by search_id

Re: Which user is running search ?

vikramyadav — Sun, 22 Nov 2020 12:49:00 GMT

index=_audit action=search sourcetype=audittrail search_id=* NOT (user=splunk-system-user) search!="'typeahead*"
| rex "search\=\'(search|\s+)\s(?P<search>[\n\S\s]+?(?=\'))"
| rex field=search "sourcetype\s*=\s*\"*(?<SourcetypeUsed>[^\s\"]+)"
| rex field=search "index\s*=\s*\"*(?<IndexUsed>[^\s\"]+)"
| stats latest(_time) as Latest by user search SourcetypeUsed IndexUsed
| convert ctime(Latest)

--------------------------------------------------------

If this helps your like will be appreciated😊