https://community.splunk.com/t5/Splunk-Search/audit-see-users-behavior-users-searches-by-sourcetypes/m-p/256980#M176433 <P>this gives the Sourcetypes and indexes and usernames.</P> <PRE><CODE>index=_audit action=search search=* sourcetype=audittrail search=* search_id=* NOT (user=splunk-system-user ) | rex field=search "sourcetype\s*=\s*\"*(?&lt;SourcetypeUsed&gt;[^\s\"]+)" | rex field=search "index\s*=\s*\"*(?&lt;IndexUsed&gt;[^\s\"]+)" | table _time user search SourcetypeUsed IndexUsed </CODE></PRE> Mon, 17 Oct 2016 08:45:21 GMT inventsekar 2016-10-17T08:45:21Z https://community.splunk.com/t5/Splunk-Search/audit-see-users-behavior-users-searches-by-sourcetypes/m-p/256979#M176432 <P>Hi guys, <BR /> hope you can help me. <BR /> I want to have a statistic of my users. The most of the users access the search&amp;reporting app and not a specific app. So, I want to have a report about the sourcetypes they are looking for. Example: <BR /> user XY searched sourcetype ZZ 4 times per day</P> <P>thanks for your help. <BR /> Cheers, Lisi</P> Mon, 17 Oct 2016 07:21:16 GMT https://community.splunk.com/t5/Splunk-Search/audit-see-users-behavior-users-searches-by-sourcetypes/m-p/256979#M176432 egreibl 2016-10-17T07:21:16Z https://community.splunk.com/t5/Splunk-Search/audit-see-users-behavior-users-searches-by-sourcetypes/m-p/256980#M176433 <P>this gives the Sourcetypes and indexes and usernames.</P> <PRE><CODE>index=_audit action=search search=* sourcetype=audittrail search=* search_id=* NOT (user=splunk-system-user ) | rex field=search "sourcetype\s*=\s*\"*(?&lt;SourcetypeUsed&gt;[^\s\"]+)" | rex field=search "index\s*=\s*\"*(?&lt;IndexUsed&gt;[^\s\"]+)" | table _time user search SourcetypeUsed IndexUsed </CODE></PRE> Mon, 17 Oct 2016 08:45:21 GMT https://community.splunk.com/t5/Splunk-Search/audit-see-users-behavior-users-searches-by-sourcetypes/m-p/256980#M176433 inventsekar 2016-10-17T08:45:21Z https://community.splunk.com/t5/Splunk-Search/audit-see-users-behavior-users-searches-by-sourcetypes/m-p/256981#M176434 <P>Hi, </P> <P>thanks for your answer. <BR /> But what I am looking also for users who only search e.g. "ip X.X.X." so, they do not enter explicit the sourcetype. Maybe it is possible to search by the roles? because then I can identify between the different accessrights and therefore which sources where searched how often. </P> <P>to search for the field "role" it's not possible. do you know the field for "Roles"?<BR /> thanks</P> Mon, 17 Oct 2016 08:56:06 GMT https://community.splunk.com/t5/Splunk-Search/audit-see-users-behavior-users-searches-by-sourcetypes/m-p/256981#M176434 egreibl 2016-10-17T08:56:06Z https://community.splunk.com/t5/Splunk-Search/audit-see-users-behavior-users-searches-by-sourcetypes/m-p/256982#M176435 <P>"role" is not available. <BR /> ---- <EM>But what I am looking also for users who only search e.g. "ip X.X.X." so, they do not enter explicit the sourcetype</EM> ---- <BR /> are you looking for users who search without explicit sourcetype?</P> Mon, 17 Oct 2016 09:27:14 GMT https://community.splunk.com/t5/Splunk-Search/audit-see-users-behavior-users-searches-by-sourcetypes/m-p/256982#M176435 inventsekar 2016-10-17T09:27:14Z https://community.splunk.com/t5/Splunk-Search/audit-see-users-behavior-users-searches-by-sourcetypes/m-p/256983#M176436 <P>Unfortunately reporting on implicit sourcetypes or indexes is not possible, unless there is new auditing added in 6.5. The answer given by inventsekar is as close as you will come.</P> Mon, 17 Oct 2016 10:04:11 GMT https://community.splunk.com/t5/Splunk-Search/audit-see-users-behavior-users-searches-by-sourcetypes/m-p/256983#M176436 David 2016-10-17T10:04:11Z