https://community.splunk.com/t5/Splunk-Search/List-of-users-who-searched-data-of-an-index/m-p/498059#M194853 <P>I have used the query you have provided but it is not giving any results.<BR /> | tstats count where index=_audit TERM("_internal") by PREFIX("user=")</P> <P>Also tried like this, but no use.<BR /> | tstats count where index=_audit by user</P> Wed, 30 Sep 2020 05:25:53 GMT svelagala 2020-09-30T05:25:53Z https://community.splunk.com/t5/Splunk-Search/List-of-users-who-searched-data-of-an-index/m-p/498057#M194851 <P>How to get users(SAML authenticated) list who searched for data under particular index(_internal) in the last 24hrs.</P> Sat, 16 May 2020 19:42:54 GMT https://community.splunk.com/t5/Splunk-Search/List-of-users-who-searched-data-of-an-index/m-p/498057#M194851 svelagala 2020-05-16T19:42:54Z https://community.splunk.com/t5/Splunk-Search/List-of-users-who-searched-data-of-an-index/m-p/498058#M194852 <PRE><CODE>| tstats count where index=_audit TERM("_internal") by PREFIX("user=") </CODE></PRE> Sat, 16 May 2020 23:16:23 GMT https://community.splunk.com/t5/Splunk-Search/List-of-users-who-searched-data-of-an-index/m-p/498058#M194852 to4kawa 2020-05-16T23:16:23Z https://community.splunk.com/t5/Splunk-Search/List-of-users-who-searched-data-of-an-index/m-p/498059#M194853 <P>I have used the query you have provided but it is not giving any results.<BR /> | tstats count where index=_audit TERM("_internal") by PREFIX("user=")</P> <P>Also tried like this, but no use.<BR /> | tstats count where index=_audit by user</P> Wed, 30 Sep 2020 05:25:53 GMT https://community.splunk.com/t5/Splunk-Search/List-of-users-who-searched-data-of-an-index/m-p/498059#M194853 svelagala 2020-09-30T05:25:53Z https://community.splunk.com/t5/Splunk-Search/List-of-users-who-searched-data-of-an-index/m-p/498060#M194854 <P><CODE>PREFIX()</CODE> can work on splunk ver 8.<BR /> <CODE>user</CODE> is extracted at search time. so, you are not able to use with <CODE>tstats</CODE><BR /> If your splunk version is ver 7.X:</P> <PRE><CODE>index=_audit TERM("_internal") | stats count by user </CODE></PRE> <P>It's faster when <CODE>PREFIX</CODE> can be used.</P> Sun, 17 May 2020 21:40:24 GMT https://community.splunk.com/t5/Splunk-Search/List-of-users-who-searched-data-of-an-index/m-p/498060#M194854 to4kawa 2020-05-17T21:40:24Z https://community.splunk.com/t5/Splunk-Search/List-of-users-who-searched-data-of-an-index/m-p/498061#M194855 <P>Yes, it is 7.X for us.<BR /> index=_audit TERM("_internal") | stats count by user - this works good, but I would like to know the list of users based on index names.<BR /> For Example: <BR /> I would like to know the users who searched for all the index names ending with "_archive" like _internal_archive. if I run the below it is also giving wherever "_archive" is used, instead of not only in index names.<BR /> index=_audit TERM("*_archive") | stats count by user</P> <P>Can you help me on this <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a> </P> Wed, 30 Sep 2020 05:27:46 GMT https://community.splunk.com/t5/Splunk-Search/List-of-users-who-searched-data-of-an-index/m-p/498061#M194855 svelagala 2020-09-30T05:27:46Z https://community.splunk.com/t5/Splunk-Search/List-of-users-who-searched-data-of-an-index/m-p/498062#M194856 <PRE><CODE>index=_audit TERM("_internal") | stats count values(search) as search by user | mvexpand search | rex field=search "index=(?\S+)" | eval index=trim(index,"\"") | stats values(user) by index </CODE></PRE> Mon, 18 May 2020 09:48:34 GMT https://community.splunk.com/t5/Splunk-Search/List-of-users-who-searched-data-of-an-index/m-p/498062#M194856 to4kawa 2020-05-18T09:48:34Z https://community.splunk.com/t5/Splunk-Search/List-of-users-who-searched-data-of-an-index/m-p/498063#M194857 <P>index=_audit TERM("_internal")<BR /> | stats count values(search) as search by user<BR /> | mvexpand search<BR /> | rex field=search "index=(?\S+)"<BR /> | eval index=trim(index,"\"")<BR /> | stats values(user) by index</P> <P>Above query almost worked but it is giving only results related to _internal index. Actually, I am looking for indexes ending with "_archive". Hence I tried in the below way.</P> <P>index=_audit<BR /> | stats count values(search) as search by user<BR /> | mvexpand search<BR /> | rex field=search "index=(?\S+)"<BR /> | eval index=trim(index,"\"")<BR /> | stats values(user) by index<BR /> |search index=*_archive</P> <P>let me know in case any optimization/better query can be provided <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a> </P> Wed, 30 Sep 2020 05:27:54 GMT https://community.splunk.com/t5/Splunk-Search/List-of-users-who-searched-data-of-an-index/m-p/498063#M194857 svelagala 2020-09-30T05:27:54Z https://community.splunk.com/t5/Splunk-Search/List-of-users-who-searched-data-of-an-index/m-p/498064#M194858 <P>It is not profitable.</P> Mon, 18 May 2020 13:25:36 GMT https://community.splunk.com/t5/Splunk-Search/List-of-users-who-searched-data-of-an-index/m-p/498064#M194858 to4kawa 2020-05-18T13:25:36Z https://community.splunk.com/t5/Splunk-Search/List-of-users-who-searched-data-of-an-index/m-p/498065#M194859 <P>Then what could be suitable query for my requirement @to4kawa </P> Mon, 18 May 2020 14:03:11 GMT https://community.splunk.com/t5/Splunk-Search/List-of-users-who-searched-data-of-an-index/m-p/498065#M194859 svelagala 2020-05-18T14:03:11Z