topic Re: How to find all manual searches performed on a single index for a period of 1 month? in Splunk Search

How to find all manual searches performed on a single index for a period of 1 month?

splunkfriend123 — Wed, 08 Jun 2022 15:40:51 GMT

Hi Team,

I would like to retrieve following info through Splunk search

1. List of all splunk searches performed on a single index along with the user list along with timestamp of search performed for a given period ( 1 month or 1 year )

Re: How to find all manual searches performed on a single index for a period of 1 month?

jamie00171 — Wed, 08 Jun 2022 17:46:39 GMT

Hi @splunkfriend123 ,

This will give you a count by user:

index=_audit TERM(action=search) TERM(info=completed) search=* (TERM(index=my_index) OR TERM(myindex) OR TERM(=my_index))
| rex max_match=0 field=search "index[\s]*=[\s]*(?!_audit)(?<title>[\w_\-\*\"]+)"
| mvexpand title
| eval title = trim(replace(title, "\"", ""))
| search title=my_index
| stats count by user

This will give you a count by user and timestamp:

index=_audit TERM(action=search) TERM(info=completed) search=* (TERM(index=my_index) OR TERM(my_index) OR TERM(=my_index))
| rex max_match=0 field=search "index[\s]*=[\s]*(?!_audit)(?<title>[\w_\-\*\"]+)"
| mvexpand title
| eval title = trim(replace(title, "\"", ""))
| search title=my_index
| stats count by user, _time

just replace my_index with the index name you want to use.

Thanks,

Jamie

Re: How to find all manual searches performed on a single index for a period of 1 month?

jamie00171 — Wed, 08 Jun 2022 17:47:33 GMT

sorry the first search should be:

index=_audit TERM(action=search) TERM(info=completed) search=* (TERM(index=my_index) OR TERM(my_index) OR TERM(=my_index))
| rex max_match=0 field=search "index[\s]*=[\s]*(?!_audit)(?<title>[\w_\-\*\"]+)"
| mvexpand title
| eval title = trim(replace(title, "\"", ""))
| search title=my_index
| stats count by user

Re: How to find all manual searches performed on a single index for a period of 1 month?

PickleRick — Wed, 08 Jun 2022 19:48:34 GMT

Correct me if I'm wrong but will it catch searches where index is implicit?

Re: How to find all manual searches performed on a single index for a period of 1 month?

jamie00171 — Wed, 08 Jun 2022 20:02:51 GMT

Hi @PickleRick,

You're right, it won't. I suppose you would need to use a similar rex command to find the sourcetype(s) searched and then if there wasn't an associated index (i.e. it was implicit) use a join or similar with the metadata command to map the sourcetype to an index name?

Re: How to find all manual searches performed on a single index for a period of 1 month?

VatsalJagani — Thu, 09 Jun 2022 04:15:21 GMT

@jamie00171 - Will it have an issue with searches where the index is within a macro?

Re: How to find all manual searches performed on a single index for a period of 1 month?

isoutamo — Thu, 09 Jun 2022 06:28:51 GMT

I afraid that currently there is no way to find answer to this question. There is no audit log which told if bucket has accessed (read event from it and returned it to search). We have asked this couple of years ago from Splunk Support, and then they put this feature on "future development list". Maybe it's time to create official request to https://ideas.splunk.com to get it?

Currently you can find those queries which contains index name on SPL, but not other queries. Or at least I don' t know how it's possible.

r. Ismo